new constructions of statistical nizks: dual-mode dv-nizks ... · new constructions of statistical...
TRANSCRIPT
New Constructions of Statistical NIZKs:
Dual-Mode DV-NIZKs and More
Benoıt Libert∗ Alain Passelegue† Hoeteck Wee‡ David J. Wu§
Abstract
Non-interactive zero-knowledge proofs (NIZKs) are important primitives in cryptography. Amajor challenge since the early works on NIZKs has been to construct NIZKs with a statisticalzero-knowledge guarantee against unbounded verifiers. In the common reference string (CRS)model, such “statistical NIZK arguments” are currently known from k-Lin in a pairing-groupand from LWE. In the (reusable) designated-verifier model (DV-NIZK), where a trusted setupalgorithm generates a reusable verification key for checking proofs, we also have a constructionfrom DCR. If we relax our requirements to computational zero-knowledge, we additionally haveNIZKs from factoring and CDH in a pairing group in the CRS model, and from nearly allassumptions that imply public-key encryption (e.g., CDH, LPN, LWE) in the designated-verifiermodel. Thus, there still remains a gap in our understanding of statistical NIZKs in both theCRS and the designated-verifier models.
In this work, we develop new techniques for constructing statistical NIZK arguments. First,we construct statistical DV-NIZK arguments from the k-Lin assumption in pairing-free groups,the QR assumption, and the DCR assumption. These are the first constructions in pairing-freegroups and from QR that satisfy statistical zero-knowledge. All of our constructions are secureeven if the verification key is chosen maliciously (i.e., they are “malicious-designated-verifier”NIZKs), and moreover, they satisfy a “dual-mode” property where the CRS can be sampled fromtwo computationally indistinguishable distributions: one distribution yields statistical DV-NIZKarguments while the other yields computational DV-NIZK proofs. We then show how to adapt ourk-Lin construction in a pairing group to obtain new publicly-verifiable statistical NIZK argumentsfrom pairings with a qualitatively weaker assumption than existing constructions of pairing-basedstatistical NIZKs.
Our constructions follow the classic paradigm of Feige, Lapidot, and Shamir (FLS). Whilethe FLS framework has traditionally been used to construct computational (DV)-NIZK proofs,we newly show that the same framework can be leveraged to construct dual-mode (DV)-NIZKs.
1 Introduction
Non-interactive zero-knowledge (NIZK) proofs [BFM88, GMR89] allow a prover to send a singlemessage to convince a verifier that a statement is true without revealing anything beyond this
∗CNRS, Laboratoire LIP and ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, Inria, UCBL). Email:[email protected]. Part of this research was supported by the French ANR ALAMBIC project (ANR-16-CE39-0006).†Inria and ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, Inria, UCBL). Email: [email protected].‡CNRS, ENS, PSL. Email: [email protected]. Supported in part by ERC Project aSCEND (H2020 639554).§University of Virginia. Email: [email protected]. Part of this work was done while visiting ENS de Lyon.Supported by NSF CNS-1917414 and a University of Virginia SEAS Research Innovation Award.
1
fact. Although such NIZKs cannot exist in the plain model, they can be realized in the commonreference string (CRS) model, where a trusted party generates and publishes a common referencestring accessible to the prover and the verifier. Shortly after the introduction of NIZKs, numerousconstructions have been developed in the CRS model from many classes of cryptographic assumptionssuch as factoring [BFM88, DMP87, FLS90, BY92, FLS99, DDO+01, Gro10, Gol11, GR13, CL18],pairing-based assumptions [CHK03, GOS06], and lattice-based assumptions [CCH+19, PS19]. Wecan also construct NIZKs in the random oracle model [FS86].
A major open problem since the early works on non-interactive zero-knowledge has been to con-struct NIZKs with a statistical zero-knowledge guarantee against computationally-unbounded verifiers(i.e., “statistical NIZK arguments”). Here, we only have constructions from the k-Lin family of as-sumptions over pairing groups [GOS06, GOS12] and LWE [PS19] (or circular-secure FHE [CCH+19]).If we relax the model and consider (reusable) designated-verifier NIZKs (DV-NIZKs), where thetrusted party that generates the CRS also generates a secret verification key that is used to verifyproofs, then the recent work of Chase et al. [CDI+19] provides an instantiation of a statistical DV-NIZK from the DCR assumption. In contrast, if we are satisfied with computational zero-knowledge,then we can additionally construct publicly-verifiable NIZKs in the CRS model from QR [BFM88],factoring [FLS99], and the CDH assumption over a pairing group [CHK03]. In the designated-verifiermodel, a recent line of works [QRW19, CH19, KNYY19a, KNYY19b, LQR+19] has provided con-structions of computational DV-NIZKs from essentially all cryptographic assumptions known toimply public-key encryption. These include assumptions like CDH in a pairing-free group and LPN.Thus, there is still a gap in our understanding of statistical NIZKs in the CRS model, and especiallyin the designated-verifier model. In this work, we develop new techniques for constructing statisticalNIZKs in both the standard CRS model as well as the (reusable) designated-verifier model, whichwe review below.
Reusable designated-verifier NIZKs. A key focus in this work is the designated-verifiermodel [PsV06, DFN06], where a trusted party generates the CRS together with a secret verificationkey that is used to verify proofs. In this work, we focus exclusively on reusable (i.e., multi-theorem) security where soundness holds even against a prover who has oracle access to theverification algorithm. We also consider the stronger malicious-designated-verifier model (MDV-NIZKs) introduced by Quach et al. [QRW19], where a trusted party only samples a commonreference string,1 and the verifier is allowed to choose its public and secret key-pair, which isused to generate and verify proofs, respectively. Here, we require that zero-knowledge should holdeven if the verifier samples its public key maliciously. As discussed in [QRW19], MDV-NIZKs areequivalent to 2-round zero-knowledge protocols in the CRS model where the verifier’s initial messageis reusable. A recent line of works have shown how to construct (M)DV-NIZKs with computationalzero-knowledge from nearly all assumptions known to imply public-key encryption (e.g., CDH, LWE,LPN) [QRW19, CH19, KNYY19a, KNYY19b, LQR+19].
Several recent works have also explored other relaxations of the standard notion of publicly-verifiable NIZKs such as the reusable designated-prover model (where there is a secret proving keyand a public verification key) [KW18, KNYY19a] or the reusable preprocessing model (where both
1In [QRW19], they require the stronger notion where the CRS is a uniformly random string. In some of our constructionsin this work, the CRS will be a structured string. We believe that this model is still meaningful as the CRS justneeds to be sampled once and can be reused by arbitrarily many verifiers, and zero-knowledge holds as long as theCRS is properly sampled.
2
the proving and verifications keys are secret) [BCGI18, BCG+19]. In this work, our focus is onreusable designated-verifier NIZKs and publicly-verifiable NIZKs.
Dual-mode NIZKs. An appealing feature of several existing NIZK constructions [GOS06, GOS12,PS19] is they satisfy a “dual-mode” property. Namely, the CRS in these schemes can be sampled fromone of two computationally indistinguishable distributions. One distribution yields computationalNIZK proofs while the other yields statistical NIZK arguments. Dual-mode NIZKs are powerfulprimitives and a recent work has also studied generic constructions from obfuscation [HU19]. Mostof the constructions we develop in this work naturally satisfy this dual-mode property.
1.1 Our Results
In this work, we develop new techniques for constructing statistical NIZKs for general NP languagesthat yield new constructions in both the reusable designated-verifier model and the standard CRSmodel. Our techniques enable the following new constructions:
• Under the k-Lin assumption in a pairing-free group (for any k ≥ 1; recall that 1-Lin ≡ DDH),we obtain a statistical MDV-NIZK argument in the common random string model and acomputational MDV-NIZK proof in the common reference string model.2 This is the firstconstruction of a statistical DV-NIZK argument (even ignoring malicious security) in apairing-free group, and the first construction of a computational MDV-NIZK proof from astatic assumption. Previously, computational MDV-NIZK proofs were only known from theinteractive “one-more CDH” assumption [QRW19].
• Under the k-Lin assumption in G1 and the k-KerLin assumption in G2 of a pairing group (forany k ≥ 1), we obtain a publicly-verifiable statistical NIZK argument in the common referencestring model. Notably, the k-KerLin assumption is a search assumption that is implied by thestandard k-Lin assumption [MRV15, KW15]. This is a qualitatively weaker assumption thanexisting pairing-based constructions of statistical NIZK arguments which rely on a decisionalassumption (k-Lin) in both G1 and G2 [GOS06, GOS12].
• Under the QR assumption, we obtain a dual-mode MDV-NIZK in the common reference stringmodel. Previously, we could only construct (publicly-verifiable) computational NIZKs fromthe QR assumption [BFM88] (or more generally, from factoring [FLS90, FLS99]), but nothingwas known for statistical NIZKs or DV-NIZKs from these assumptions.
• Under the DCR assumption, we obtain a dual-mode MDV-NIZK in the common referencestring model. This matches the recent construction described in [CDI+19], which realizes theresult through a different approach (via reusable non-interactive secure computation).
We provide a detailed comparison of our constructions with existing NIZK constructions (in boththe designated-verifier and the publicly-verifiable models) in Table 1. We describe the formalinstantiations in Section 6.
2This is in fact a dual-mode NIZK, where one of the CRS distributions corresponds to the uniform distribution.
3
Construction Model Soundness ZK Assumption
[BFM88] public stat. comp. QR[FLS90, FLS99] public stat. comp. trapdoor permutation[SW14] public comp. perf. iO + one-way function
[CHK03]∗ public stat. comp. CDH (G2)[GOS06, GOS12]∗ public perf./comp. comp./perf. k-Lin (G1,G2)
This work∗ public comp. stat. k-Lin (G1), k-KerLin (G2)†
[PS19] public stat./comp. comp./stat. LWE
[QRW19, CH19, KNYY19a] DV stat. comp. CDH[QRW19] MDV stat. comp. one-more CDH[LQR+19] MDV comp. comp. CDH/LWE/LPN[CDI+19] MDV stat./comp. comp./stat. DCRThis work MDV stat./comp. comp./stat. k-Lin‡/QR/DCR
∗This is a pairing-based construction. In the assumption column, we enumerate all of the necessary hardnessassumptions to instantiate the scheme (in an asymmetric setting).†The k-KerLin refers to the kernel k-Lin assumption [MRV15, KW15], which can be viewed as the search analog of theclassic k-Lin assumption [BBS04, HK07, Sha07].‡This is over a pairing-free group. The special case where k = 1 corresponds to the standard DDH assumption. Inaddition, if we consider the vanilla DV-NIZK model (without malicious security), there is a simple instantiation (overelliptic-curve groups) that achieves perfect zero-knowledge (Remark C.8).
Table 1: Comparison of our construction to existing multi-theorem NIZKs. We write “public” to denote thestandard CRS model (with public proving and public verification), “DV” to denote the designated-verifiermodel, and “MDV” to denote the malicious-designated-verifier model. For soundness and zero-knowledge, wewrite “comp.” to denote the computational variant of the property, “stat.” to denote the statistical variant,and “perf.” to denote the perfect variant. When a scheme supports a dual-mode CRS, we indicate thetwo modes by writing “stat./comp.” For the pairing-based constructions, we list the necessary assumptionsneeded within each of the base groups G1 and G2 (assuming an asymmetric pairing).
From FLS to statistical NIZKs. All of our constructions follow the classic paradigm of Feige,Lapidot, and Shamir (FLS) [FLS99] who provide a general compiler from a NIZK in an idealizedmodel (i.e., the “hidden-bits” model) to a computational NIZK proof in the CRS model. To date, allexisting instantiations of the [FLS99] paradigm have yielded computational NIZK proofs in either theCRS model [FLS90, BY92, FLS99, CHK03, Gro10, Gol11, GR13, CL18] or the designated-verifiermodel [QRW19, CH19, KNYY19a]. In this work, we show how to adapt the general FLS paradigmto obtain new constructions of statistical NIZK arguments and more generally, dual-mode NIZKs.We provide a general overview of our techniques in Section 1.2.
We further note that previous statistical NIZK arguments from pairings, LWE, and DCR followvery different approaches. Our work can also be viewed as providing a unified approach to realizingthese existing results—both computational and statistical, with the sole exception of the LWE-basedscheme—via the FLS paradigm, while also improving upon some of these prior results, and obtainingnew ones.
4
1.2 Technical Overview
We begin with a brief overview of the Feige-Lapidot-Shamir (FLS) framework [FLS90, FLS99] forconstructing NIZK proofs for NP. We then describe how to adapt the main ideas from the FLSframework to obtain new constructions of (malicious) designated-verifier dual-mode NIZKs as wellas publicly-verifiable statistical NIZK arguments.
The FLS framework. The starting point of the FLS construction is a NIZK in an idealizedmodel called the “hidden-bits model.” In this model, a trusted party generates a string of uniformlyrandom bits r1, . . . , rρ ∈ {0, 1} and gives them to the prover. The prover then outputs a proof πalong with a set of indices I ⊆ [ρ]. The verifier receives (π, {ri}i∈I) from the trusted party. Themodel guarantees that the prover cannot influence the value of any of the ri’s and the verifier doesnot learn anything about ri for indices i /∈ I. Feige et al. [FLS99] showed how to construct a NIZKwith statistical soundness and perfect zero-knowledge in the hidden-bits model by adapting Blum’sΣ-protocol for graph Hamiltonicity [Blu86]. Next, the FLS construction compiles a NIZK in thehidden-bits model into one in the CRS model by using the CRS to define the sequence of hiddenbits. We recall the FLS compiler based on trapdoor permutations:
• The CRS contains the description of a family of trapdoor permutations over {0, 1}λ togetherwith ρ random strings w1, . . . , wρ ∈ {0, 1}λ that are used to define a string of ρ hidden bits.
• A hidden-bits string is defined by sampling a permutation σ from the family of trapdoorpermutations specified by the CRS, along with a trapdoor for computing σ−1. In conjunctionwith wi in the CRS, the permutation σ defines a hidden bit ri := hc(σ−1(wi)), where hc(·) isa hard-core bit of σ. We refer to σ as a “commitment” to the hidden-bits string r ∈ {0, 1}ρ.
• The prover can open a commitment σ to a bit ri by sending (i, ri, ui) where ui := σ−1(wi).The verifier checks that σ(ui) = wi and that hc(ui) = ri.
The security argument proceeds roughly as follows:
• Since hc is a hard-core bit, the value of any unopened bit ri is computationally hidden given σand wi. The resulting NIZK satisfies computational zero-knowledge.
• The permutation σ and the string wi statistically determine ri, and the prover cannot openri to any value other than hc(σ−1(wi)). The resulting NIZK satisfies statistical soundness.Note that a cheating prover can bias the bit ri due to the adaptive choice of σ. The FLSconstruction works around this by leveraging the fact that if the commitment σ has length `,then a malicious prover can bias at most ` of the ρ bits, and soundness holds as long as `� ρ.
Our approach. In this work, we start by showing how to realize a dual-mode variant of thehidden-bits model in the designated-verifier setting where the underlying commitment to the randombits is either statistically binding or statistically hiding. This “dual-mode” property yields either acomputational DV-NIZK proof or a statistical DV-NIZK argument depending on how the CRS issampled (similar to previous dual-mode NIZKs [GOS06, GOS12, PS19]). We then show how toextend one of our constructions to the publicly-verifiable setting.
5
An instantiation from DDH. We first sketch our construction from the DDH assumption. Here,we will work with a (multiplicative) group G of prime order p and generator g. For a vectorv = (v1, . . . , vn) ∈ Znp , we write gv to denote a vector of group elements (gv1 , . . . , gvn). Analogousto the FLS construction from trapdoor permutations, the CRS contains
• the description gv of a function, where vr← Zρ+1
p and gv plays a role similar to the family oftrapdoor permutations in the FLS construction;
• gw1 , . . . , gwρ where each wi ∈ Zρ+1p plays a role similar to wi ∈ {0, 1}λ.
In our construction, we will vary the distribution of wi (but not v) as follows:
• If we want statistically-binding “hidden bits,” then we sample wi ← siv, where sir← Zp.
• If we want statistically-hiding “hidden bits,” then we sample wir← Zρ+1
p .
Thanks to the DDH assumption, (gv, gsiv) is pseudorandom, and therefore, these two CRS distribu-tions are computationally indistinguishable.3 As with the construction from trapdoor permutations,the hidden bit ri is a function of the CRS components gv, gwi together with an additional messageσ from the prover. Concretely, the prover samples a random y
r← Zρ+1p and sends σ = gy
Tv ∈ G.
In conjunction with gwi in the CRS, the vector y defines a hidden bit ri := H(gyTwi), where
H : G→ {0, 1} is a universal hash function. Importantly, while the description gv, gw1 , . . . , gwρ inthe CRS grows with ρ, the prover’s message σ does not. Now, observe that:
• In binding mode where wi = siv, we have yTwi = siyTv. Then, ri = H(gy
Twi) = H(gsiyTv) =
H(σsi) is fully determined by the commitment σ = gyTv together with gv, gwi in the CRS.
• In hiding mode where wir← Zρ+1
p , the quantity gyTwi is completely hidden given gy
Tv alongwith gv, gwi in the CRS, provided that v and wi are linearly independent. More generally,perfect hiding holds as long as the vectors v,w1, . . . ,wρ are linearly independent over Zρ+1
p .
Next, to open the bit ri, the prover will send along gyTwi . To ensure that a cheating prover
computes this quantity correctly in the designated-verifier model, we rely on techniques using theCramer-Shoup hash-proof system [CS98, CS02, CKS08] (and also used to construct computationalDV-NIZK proofs from CDH [QRW19, CH19, KNYY19a]):
• The verifier’s public key consists of components gzi := gawi+biv where a, bir← Zp are secret
coefficients chosen by the verifier. The secret verification key is the scalars (a, b1, . . . , bρ).
• The prover sends gui := gyTzi ∈ G in addition to σ = gc := gy
Tv ∈ G and gti := gyTwi ∈ G.
• The verifier checks that gui = (gti)a(gc)bi using (a, bi).
In the statistically-binding mode where wi = siv, we have zi = (asi + bi)v, so (a, bi) has (statistical)entropy given v,wi, zi. Roughly speaking, reusable soundness then follows from the analysis ofthe Cramer-Shoup CCA-secure encryption scheme [CS98, CS02, CKS08] to enforce the consistencycheck ti = sic. In conjunction with a NIZK in the hidden-bits model, we thus obtain a dual-mode
3This idea of encoding either a full-rank matrix in the exponent or a rank-1 matrix in the exponent also featured inthe construction of lossy public-key encryption from the Matrix Diffie-Hellman assumptions [HJR16].
6
DV-NIZK from the DDH assumption. This construction generalizes very naturally to the k-Linfamily of assumptions [BBS04, HK07, Sha07, EHK+13] for any k ≥ 1 (where in particular, 1-Lin isthe DDH assumption). Concretely, we make the following substitutions to the above construction:
v ∈ Zρ+1p 7→ V ∈ Z(ρ+1)×k
p
si, bi ∈ Zp 7→ si,bi ∈ Zkpti, ui, c ∈ Zp 7→ ti,ui, c ∈ Zkp
We provide the full details and security analysis in Section 4.1.
Extending to QR/DCR. Our DDH construction readily generalizes to the subgroup indistinguisha-bility family of assumptions [BG10] (which generalize the QR [GM82] and DCR [Pai99] assumptions).While there are some technical differences in our concrete instantiations from QR (Section 5) andDCR (Appendix E), all of the main ideas can be described via the conceptually-simpler languageof subgroup indistinguishability. This is the approach we take in this overview, and we refer tothe technical sections for the full details. First, the subgroup indistinguishability assumption saysthat the distributions (g, h, gr1) and (g, h, gr1hr2) are computationally indistinguishable, where g, h
generate subgroups of co-prime order mg,mh, respectively, and r1r← Zmg , r2
r← Zmh .
Similar to the DDH instantiation, the CRS contains a function gv (where vr← Zρmgmh) together
with additional components gs1vhw1 , . . . , gsρvhwρ , where wi = 0 in binding mode and wi = ei inhiding mode. Here ei is the basis vector whose ith index is 1. Under the subgroup indistinguishabilityassumption, these two distributions are computationally indistinguishable.
Next, the hidden bit ri is a function of the CRS components gv and gsivhwi together withan additional commitment σ from the prover. Specifically, the prover samples a vector y =(y1, . . . , yρ)
r← Zρmgmh and computes
σ := gyTv and ti := gsiy
TvhyTwi and ri := H(ti), (1.1)
where H is a hash function. Now, observe that:
• In binding mode where wi = 0, then ti = gsiyTv = σsi . Thus, ti (and correspondingly, ri) is
fully determined by the commitment σ and the components gv, gsivhwi = gsiv in the CRS.
• In hiding mode where wi = ei, then ti = gsiwTyhyi . Since g and h generate subgroups of
co-prime order mg and mh, respectively, we can appeal to the Chinese remainder theorem
to argue that the commitment σ = gyTv perfectly hides the value of y mod mh. Since y is
uniform over Zmgmh , this means that t1, . . . , ti have at least logmh bits of statistical entropygiven σ (and the components of the CRS).
In the DCR construction, mh = N is a product of two large primes, so we can use a standarduniversal hash function to extract a uniformly random bit [HILL99].
In the QR construction, mh = 2, so each component ti contains just one bit of entropy, and wecannot appeal to the leftover hash lemma. In this case, we adapt an idea from [DGI+19] (forconstructing trapdoor hash functions from QR) and use a deterministic function to extractthe bit from ti. We provide the full details in Section 5.
7
Finally, to open a bit ri, the prover provides σ, ti, along with a proof that ti and σ are consistent(i.e., there exists some y such that Eq. (1.1) hold). Here, we use the same techniques as in the DDHsetting (i.e., using the Cramer-Shoup hash-proof system) to implement this. In the QR setting, weencounter some challenges because the order of the subgroup generated by h is polynomial-sized,which allows the adversary to break soundness with noticeable probability. To amplify soundness,we essentially embed multiple copies of the Cramer-Shoup hash-proof system and ensure that theproof verifies only if all copies verify (while retaining reusable soundness). We refer to Section 5and Appendix E for the full analysis of the QR and DCR constructions, respectively.
Handling malicious verifiers. All of the constructions described thus far are zero-knowledgeonly if the verifier samples its public verification key honestly. However, if the verifier can choose itskey arbitrarily, then it can break zero-knowledge. To see this, consider again the DDH construction(in hiding mode). There, the CRS contains elements gv, gw1 , . . . , gwρ , and a verifier’s public key is
(gz1 , . . . , gzρ) where zi = awi+biv. To generate a hidden-bits string r, the prover samples yr← Zρ+1
p
and sets ri = H(gyTwi). To open a bit ri, the prover computes gti = gy
Twi and gui = gyTzi . In
order to appeal to security of the underlying NIZK in the hidden-bits model, we require that thecommitment σ = gy
Tv, the value of ri, and the opening (gti , gui) do not leak information aboutany other (unopened) bit rj . This is the case when all of the verification key components zi aregenerated honestly. In this case, v,w1, . . . ,wρ are linearly independent, and zi is a function of onlyv and wi. However, a malicious verifier can choose zi = wj for some j 6= i. Then, if the honest
prover computes an opening to ri, it will also compute gui = gyTzi = gy
Twj , which completely leaksthe value of rj . As such, the basic scheme is insecure against a malicious verifier.
This problem where an opening to ri can leak information about the value rj for j 6= i is thesame problem encountered in the basic DV-NIZK from [QRW19]. In this work, we adopt thesame general strategy as them to defend against malicious verifiers. At a high-level, the approachof [QRW19] for achieving security against malicious verifiers is to use the basic scheme above togenerate a hidden-bits string r′1, . . . , r
′` of length `� ρ. Each of the ρ hidden bits r1, . . . , rρ is then
derived as a sparse pseudorandom combination of the bits r′1, . . . , r′`. More specifically, the prover
chooses a mapping ϕ that maps each index i ∈ [ρ] onto a set ϕ(i) ⊆ [`]. Each bit ri is a deterministicfunction of r′j for j ∈ ϕ(i). To open a bit ri, the prover instead opens up all bits r′j for j ∈ ϕ(i).The length ` and the size |ϕ(i)| of the sets are chosen so as to ensure that for all unopened bitsj ∈ [ρ], there is at least one index k ∈ ϕ(j) such that r′k is hidden from the verifier, which ideally,is sufficient to mask the value of rj . Quach et al. show how to implement this idea by relying ona one-more CDH assumption (in conjunction with somewhere equivocal PRFs [HJO+16]), and acomplex rewinding argument in the security proof. In our setting, the algebraic structure of ourconstruction enables us to make a conceptually-simpler information-theoretic argument (and onlyneeding to assume a PRG). As such, we are able to obtain a dual-mode MDV-NIZK from the DDH(and more generally, k-Lin)as well as the QR and DCR assumptions.
We give a brief overview of how we extend the basic DDH construction sketched above to achievesecurity against malicious verifiers. The same idea extends to the QR and DCR constructions.Specifically, we use our basic construction to generate a hidden-bits string of length `� ρ as follows:
• The CRS (in hiding mode) consists of group elements gv, gw1 , . . . , gw` , where v,w1, . . . ,w`r←
Z`+1p . With overwhelming probability, these vectors are linearly independent.
• The honest verifier’s public key is (gz1 , . . . , gz`), constructed in the usual manner.
8
• The prover’s commitment is a vector y ∈ Z`+1p as well as a seed s for a PRG.4 The PRG
outputs a collection of ρ blocks, where each block consists of a set Si ⊆ [`] and a vector α ∈ Z`p.The hidden bit ri is determined by first computing gtj = gy
Twj for all j ∈ Si and definingri := H(
∏j∈Si g
αjtj ).
• The opening for ri consists of gtj = gyTwj and guj = gy
Tzj for all j ∈ Si.
Our goal is to show that even for an adversarially-chosen verification key, the commitment σ andthe opening ({gtj , guj}j∈Si) to a bit ri does not leak any information about rj whenever j 6= i.5 By
construction, the opening to ri is determined by yTv, yTwj , and yTzj for j ∈ Si (where the set Siis pseudorandom). Take any index i∗ 6= i. Then, if there exists j∗ ∈ ϕ(i∗) such that wj∗ is linearlyindependent of {v,wj , zj}j∈Si , then the value of yTwj∗ is independent and uniformly random given
the view of the adversary (since the honest prover samples yr← Z`+1
p ). In this case, the value
gtj∗ = gyTwj∗ remains uniformly random and statistically hides ri∗ . Thus, it suffices to set ` and
|Si| so that there will always exist j∗ ∈ ϕ(i∗) where wj∗ is linearly independent of {v,wj , zj}j∈Siwith overwhelming probability. In the case of our DDH construction, we can set |Si| = λ, where λ isa security parameter, and ` = 3ρ2λ to satisfy this property. We provide the full analysis of our DDH(more generally, its generalization to the k-Lin assumption) in Section 4.3, our QR construction inSection 5.2 and our DCR construction in Appendix E.2.
Public verifiability via pairings. All of the constructions we have described so far operate inthe designated-verifier model because our constructions rely on a Cramer-Shoup-style hash proofsystem to argue consistency between a commitment and the opening. If we can instead publicly checkconsistency between a commitment and its opening, then the resulting scheme becomes publiclyverifiable. For the DDH construction, we can implement the consistency check using a pairing (thisis the approach taken in [CHK03] to obtain a computational NIZK proof). In this work, we developa similar approach to obtain a statistical NIZK argument from pairings.
In particular, let e : G1×G2 → GT be an (asymmetric) pairing. Let g1, g2 be generators of G1 andG2, respectively. At a high level, we implement the DDH scheme in G1 and use G2 for verification.
More specifically, the CRS is gv1 , gw11 , . . . , g
wρ1 , and the verification key is g
(aw1+b1v)1 , . . . , g
(awρ+bρv)1 .
The commitment, hidden-bits sequence, and openings are defined as before:
σ = gc1 = gyTv
1 , ri = H(gyTwi
1 ) , gti1 = gyTwi
1 and gui1 = gyT(awi+biv)1 .
In the designated-verifier setting, the verifier checks gui1?= (gti1 )a(gc1)bi . A direct approach for public
verification is to include ga2 , gb12 , . . . , g
bρ2 as part of the verification key, and check the following:
e(gui1 , g2)?= e(gti1 , g
a2) · e(gc1, g
bi2 ).
While this approach is correct, it is unclear to argue soundness (even against computationally-bounded adversaries). In the designated-verifier setting, the soundness analysis critically relies on
4We require a PRG because the prover’s message needs to be succinct in order to argue soundness of the resulting NIZKin the FLS paradigm. Thus, we rely on a PRG for compression. Note that even though we rely on a computationalassumption, we can still show statistical zero-knowledge. The security proof only requires that there are no efficientstatistical tests that can distinguish the output of the PRG from a random string (which is implied by PRG security).
5To show adaptive, multi-theorem zero-knowledge, we in fact show an even stronger simulation property. We refer toSection 3 for more details.
9
the verification coefficients a, bi being hidden from the adversary, and it is unclear how to makesuch an argument when the adversary is given ga2 , g
bi2 .
To base hardness on a concrete cryptographic assumption, we leverage a technique from [KW15],who describe a general method to “securely publish” the verification key in the exponent (as wehoped to do in our initial attempt above) with a concrete security reduction to a search assumptionin G2. This yields a general compiler from a designated-verifier scheme with unconditional soundnessto a publicly-verifiable scheme with computational soundness, at the expense of requiring a pairingand a search assumption in G2. The compiler preserves zero-knowledge of the underlying scheme.
Concretely, instead of scalar verification coefficients a, bi, we instead sample vectors a,bir← Z2
p,
and publish gwia
T+vbTi
1 for each i ∈ [ρ] in the CRS. The public verification components will consist
of gd2 , gaTd2 , g
bT1d
2 , . . . , gbTρd
2 , where d ∈ Z2p. The key observation is that a,b1, . . . ,bρ have statistical
entropy even given the public components gd2 , gaTd2 , g
bT1d
2 , . . . , gbTρd
2 . The commitment, hidden-bitssequence, and openings are still computed as before, except the verification component gui1 is replaced
with guTi
1 = gyT(wia
T+vbTi )
1 . The verification relation now checks
e(guTi
1 , gd2 )?= e(gti1 , g
aTd2 ) · e(gc1, g
bTi d
2 ).
Since the verification coefficients a,b1, . . . ,bρ have statistical entropy given the public key, we canappeal to DDH in G1 and the 1-KerLin assumption (a search assumption that is weaker than DDH)over G2 to argue soundness of the resulting construction. This yields a publicly-verifiable statisticalNIZK argument in the common reference string model. We provide the full description and analysis(generalized to the k-Lin and k-KerLin family of assumptions for any k ≥ 1) in Section 4.2.
Our pairing-based construction does not appear to have a dual mode and it is unclear how tomodify this construction to obtain computational NIZK proofs. We do note that computationalNIZK proofs can be built directly from pairings (under the CDH assumption in G1) also by followingthe FLS paradigm [CHK03]. At the same time, it is also unclear how to adapt the [CHK03]construction to obtain statistical NIZK arguments.
A unifying abstraction: dual-mode hidden-bits generators. We unify the different alge-braic constructions through the abstraction of a “dual-mode hidden-bits generator.” Previously,Quach et al. [QRW19] introduced the notion of a hidden-bits generator (HBG) and showed howto use an HBG to implement the classic FLS paradigm in both the designated-verifier and thepublicly-verifiable settings. Very briefly, an HBG with output size ρ consists of four main algorithms(Setup,KeyGen,GenBits,Verify):
• The Setup algorithm outputs a common reference string crs, and KeyGen generates a publickey pk along with a (possibly secret) verification key sk.
• The GenBits algorithm outputs a short commitment σ together with a sequence of hidden bitsr ∈ {0, 1}ρ as well as openings {πi}i∈[ρ].
• The Verify algorithm takes an index i ∈ [ρ], a bit ri ∈ {0, 1}, and an opening πi and eitheraccepts or rejects the proof.
The main security requirements are statistical binding (i.e., no adversary can produce a commitmentσ and valid openings πi, π
′i that open to 0 and 1 for the same index) and computational hiding
10
(i.e., an honestly-generated commitment σ and set of openings {ri, πi}i∈I should hide all unopenedbits rj for j /∈ I from any computationally-bounded adversary). Quach et al. show that an HBGwith these properties can be combined directly with a NIZK in the hidden-bits model to obtain acomputational NIZK proof in the CRS model. If the HBG is in the (malicious) designated-verifiermodel, then so is the resulting NIZK.
In this work, we extend this framework by introducing the notion of a dual-mode HBG wherethe CRS can be generated in one of two modes: a binding mode where the HBG satisfies statisticalbinding (as in [QRW19]) and a hiding mode where the HBG satisfies a stronger notion of statisticalhiding (i.e., the unopened bits are statistically hidden given the CRS, the commitment σ andany subset of opened bits {(ri, πi)}i∈I). In our case, we impose an even stronger equivocationproperty in the hiding mode: namely, given any any set of indices I ⊆ [ρ] and any assignmentrI ∈ {0, 1}|I| to that set, it is possible to simulate a commitment σ and a set of openings {πi}i∈Ithat is statistically indistinguishable from the output of the honest generator. This allows usto directly argue adaptive and multi-theorem6 statistical zero-knowledge for the resulting NIZKconstruction. We give our formal definition in Section 3, and describe our construction of dual-mode(designated-verifier) NIZKs from dual-mode (designated-verifier) HBGs in Section 3.1. In Section 4and Section 5 and Appendix E, we show how to construct dual-mode HBGs from the k-Lin, QR,and DCR assumptions.
2 Preliminaries
Throughout this work, we write λ (oftentimes implicitly) to denote the security parameter. For apositive integer n ∈ N, we write [n] to denote the set {1, . . . , n}. We will typically use bold lowercaseletters (e.g., v,w) to denote vectors and bold uppercase letters (e.g., A,B) to denote matrices.For a vector v ∈ Znp , we will use non-boldface letters to refer to its components; namely, we writev = (v1, . . . , vn). For a (sorted) set of indices I = {i1, . . . , im} ⊆ [n], we write vI to denote thesub-vector (vi1 , . . . , vim). For a matrix A, we write span(A) to denote the vector space spanned bythe columns of A.
We say that a function f is negligible in λ, denoted negl(λ), if f(λ) = o(1/λc) for all c ∈ N. Wewrite poly(λ) to denote a function bounded by a fixed polynomial in λ. We say an event happenswith negligible probability if the probability of the event happening is negligible, and that it happenswith overwhelming probability if its complement occurs with negligible probability. We say thatan algorithm is efficient if it runs in probabilistic polynomial-time in the length of its inputs. Wesay that two families of distributions D1 = {D1,λ}λ∈N and D2 = {D2,λ}λ∈N are computationallyindistinguishable if no efficient adversary can distinguish samples from D1 and D2 except with
negligible probability, and we denote this by writing D1c≈ D2. For two distributions D1, D2, we
write ∆(D1,D2) to denote the statistical distance between D1 and D2. We write D1s≈ D2 to denote
that D1 and D2 are statistically indistinguishable: namely, that ∆(D1,D2) = negl(λ). For a finite set
S, we write xr← S to denote that x is sampled uniformly at random from S. For a distribution D,
we write x← D to denote that x is sampled from D. We now recall the definition of a pseudorandomgenerator (PRG).
6We can also use the transformation from [FLS99] to generically go from single-theorem zero-knowledge to multi-theorem zero-knowledge, but at the expense of making non-black-box use of a PRG. Our approach yields a directconstruction of multi-theorem zero-knowledge without needing to make non-black-box use of cryptography. Wediscuss this in greater detail in Remark 2.12.
11
Definition 2.1 (Pseudorandom Generator). A pseudorandom generator (PRG) with seed lengthκ = κ(λ) and output length ` = `(λ) is an efficiently-computable function G : {0, 1}κ → {0, 1}` withthe property that for all efficient adversaries A,∣∣∣Pr[s
r← {0, 1}κ : A(G(s)) = 1]− Pr[tr← {0, 1}` : A(t) = 1]
∣∣∣ = negl(λ).
2.1 Hash Functions and Randomness Extraction
We now recall the leftover hash lemma [HILL99] and some properties of hash functions.
Definition 2.2 (Uniformity of Hash Functions). A family of hash functions H = {H : X → Y}satisfies statistical uniformity if
{H r← H, x r← X : (H,H(x))}s≈ {H r← H, y r← Y : (H, y)}.
When the two distributions above are identically distributed, then H satisfies perfect uniformity.
Definition 2.3 (Universal Hash Function). A family of hash functions H = {H : X → {0, 1}`} is
universal if for any x1 6= x2 ∈ X , we have that Pr[Hr← H : H(x1) = H(x2)] ≤ 1/2`.
Lemma 2.4 (Leftover Hash Lemma [HILL99]). Let H = {H : X → {0, 1}`} be a universal familyof hash functions. Take any ε > 0 and let D be a distribution over X with min-entropy H∞(D) ≥`+ 2 log(1/ε). Then, ∆((H,H(x)), (H,U)) = ε, where H
r← H, x← D, and Ur← {0, 1}`.
Corollary 2.5 (Universal Hash Functions are Statistically Uniform). Let H = {H : X → {0, 1}`}be a universal family of hash functions. If |X | ≥ `+ ω(log λ), then H satisfies statistical uniformity.
We also need a variant of the leftover hash lemma that allows extracting randomness from sourcesthat may be correlated with the seed. We use the following lemma from [YYHK16]:
Lemma 2.6 (Randomness Extraction from Seed-Dependent Sources [YYHK16]). Let H = {H : X →{0, 1}`} be a family of pairwise-independent hash functions. Take any ε > 0 and let D = {Di :H∞(Di) ≥ `+ 2 log(1/ε)}i∈[M ] be a collection of distributions Di over X where each Di has min-entropy at least `+ 2 log(1/ε). Then, for all algorithms A that takes as input a hash function H ∈ Hand outputs an index i ∈ [M ],
∆((H,H(x)), (H,U)) ≤ |D| ε = Mε,
where Hr← H, i
r← A(H), x← Di, and Ur← {0, 1}`.
2.2 NIZKs in the Hidden-Bits Model
In this section, we recall the notion of a NIZK in the hidden-bits model [FLS99]. Our presentationis adapted from the description from [QRW19, CH19, KNYY19a].
Definition 2.7 (NIZKs in the Hidden-Bits Model). Let L ⊆ {0, 1}n be an NP language associatedwith an NP relation R with n = n(λ). A non-interactive zero-knowledge proof in the hidden-bitsmodel for L consists of a tuple ΠHBM = (Prove,Verify) and a parameter ρ = ρ(λ, n) with thefollowing properties:
12
• Prove(1λ, r, x, w)→ (I, π): On input the security parameter λ, a string r ∈ {0, 1}ρ, a statementx ∈ {0, 1}n and a witness w, this algorithm outputs a set of indices I ⊆ [ρ] and a proof π.
• Verify(1λ, I, rI , x, π)→ {0, 1}: On input the security parameter λ, a subset I ⊆ [ρ], a stringrI ∈ {0, 1}|I|, a statement x ∈ {0, 1}n and a proof π, the verification algorithm outputs a bitb ∈ {0, 1}.
Moreover, ΠHBM satisfies the following properties:
• Completeness: For all (x,w) ∈ R and r ∈ {0, 1}ρ,
Pr[(I, π)← Prove(1λ, r, x, w) : Verify(1λ, I, rI , x, π) = 1] = 1.
• Statistical soundness: For all unbounded provers P∗, we have that for rr← {0, 1}ρ and
(x, π, I)← P∗(1λ, r),
Pr[x /∈ L ∧ Verify(1λ, I, rI , x, π) = 1] = negl(λ).
We will oftentimes refer to the above probability as the soundness error.
• Perfect zero-knowledge: There exists an efficient simulator S such that for all unboundedverifiers V∗, if we take (x,w) ← V∗(1λ), r
r← {0, 1}ρ, (I, π) ← Prove(1λ, r, x, w), and(I , rI , π) ← S(1λ, x), and moreover if R(x,w) = 1, then the following two distributionsare identically distributed:
(I, rI , π) ≡ (I , rI , π).
Remark 2.8 (Soundness Amplification). Take any polynomial ` = `(λ, n). Then, given any NIZKin the hidden-bits model with soundness error ε, we can construct another NIZK in the hidden-bitsmodel with ε` soundness error by running ` copies of the NIZK in parallel (and accepting a proofonly if all of the ` copies are valid). The simulator would simulate each of the individual instancesindependently. Parallel repetition increases the length of the hidden-bits string by a factor of `.
Theorem 2.9 (NIZKs in the Hidden-Bits Model [FLS99]). For any ε > 0, every language L ∈ NPhas a NIZK in the hidden-bits model with soundness error ε and relying on a hidden-bits string oflength ρ = poly(n, log(1/ε)).
2.3 Designated-Verifier NIZKs and Dual-Mode NIZKs
We now review the notion of a reusable designated-verifier NIZK (DV-NIZK). Namely, we requirethat the same common reference string and verification state can be reused to prove and verifymany statements without compromising either soundness or zero-knowledge. As in [LQR+19], weuse the fine-grained notion with separate setup and key-generation algorithms. The setup algorithmsamples the common reference string (CRS) while the key-generation algorithm generates a publickey (used to generate proofs) along with a secret key (used to verify proofs). We allow the sameCRS to be reusable by many verifiers, who each generate their own public/secret key-pairs. In thetraditional notion of DV-NIZKs, the setup and key-generation algorithms would be combined into asingle algorithm that outputs the CRS (which would include the public proving key) along with asecret verification key.
13
Definition 2.10 (Designated-Verifier NIZK). Let L ⊆ {0, 1}n be an NP language associated withan NP relation R with n = n(λ). A reusable designated-verifier non-interactive zero-knowledge(DV-NIZK) proof for L consists of a tuple of efficient algorithms ΠdvNIZK = (Setup,KeyGen,Prove,Verify) with the following properties:
• Setup(1λ) → crs: On input the security parameter λ, this algorithm outputs a commonreference string crs. If Setup outputs a uniformly random string, we say that the scheme is inthe common random string model.
• KeyGen(crs)→ (pk, sk): On input the common reference string crs, the key-generation algo-rithm outputs a public key pk and a secret key sk.
• Prove(crs, pk, x, w) → π: On input the common reference string crs, a public key pk, astatement x ∈ {0, 1}n, and a witness w, this algorithm outputs a proof π.
• Verify(crs, sk, x, π)→ {0, 1}: On input the common reference string crs, a secret verificationkey sk, a statement x, and a proof π, the verification algorithm outputs a bit b ∈ {0, 1}.
Moreover, ΠdvNIZK should satisfy the following properties:
• Completeness: For all (x,w) ∈ R, and taking crs← Setup(1λ), (pk, sk)← KeyGen(crs),
Pr[π ← Prove(crs, pk, x, w) : Verify(crs, sk, x, π) = 1
]= 1.
• (Statistical) soundness: We consider two variants of soundness:
– Non-adaptive soundness: For all x /∈ L and all polynomials q = q(λ), and allunbounded adversaries A making at most q verification queries, and sampling crs ←Setup(1λ), (pk, sk)← KeyGen(crs), we have that
Pr[π ← AVerify(crs,sk,·,·)(1λ, crs, pk, x) : Verify(crs, sk, x, π) = 1
]= negl(λ).
– Adaptive soundness: For all polynomials q = q(λ) and all unbounded adversariesA making at most q verification queries, and sampling crs ← Setup(1λ), (pk, sk) ←KeyGen(crs), we have that
Pr[(x, π)← AVerify(crs,sk,·,·)(1λ, crs, pk) : x /∈ L ∧ Verify(crs, sk, x, π) = 1
]= negl(λ).
We also define the corresponding notions of computational soundness where the above propertiesonly need to hold against efficient adversaries A.
• (Statistical) zero-knowledge: For all polynomials q = q(λ) and all unbounded adversariesA making at most q oracle queries, there exists an efficient simulator S = (S1,S2) such that∣∣∣Pr[AO0(crs,pk,·,·)(crs, pk, sk) = 1]− Pr[AO1(stS ,·,·)(crs, pk, sk) = 1]
∣∣∣ = negl(λ),
where crs ← Setup(1λ), (pk, sk) ← KeyGen(crs) and (stS , crs, pk, sk) ← S1(1λ), the oracleO0(crs, pk, x, w) outputs Prove(crs, pk, x, w) if R(x,w) = 1 and ⊥ otherwise, and the oracleO1(stS , x, w) outputs S2(stS , x) if R(x,w) = 1 and ⊥ otherwise. Similar to soundness, we alsoconsider computational zero-knowledge where the above property only needs to hold againstefficient adversaries A.
14
Definition 2.11 (Publicly-Verifiable NIZKs). A NIZK ΠNIZK is publicly-verifiable if the secret keyoutput by KeyGen is empty. In this case, we can combine the Setup and KeyGen algorithms into asingle algorithm that just outputs the CRS, and there is no notion of separate public/secret keyspk and sk. Both the Prove and Verify algorithms just take crs as input. We can define all of theproperties analogously. In the publicly-verifiable setting, we do not need to provide the prover aseparate verification oracle in the soundness game.
Remark 2.12 (Single-Theorem vs. Multi-Theorem Zero-Knowledge). The zero-knowledge propertyin Definition 2.10 is multi-theorem in the sense that the adversary can see proofs of multiplestatements. We can consider a weaker notion of single-theorem zero-knowledge where the adversarycan only see a proof on a single (adaptively-chosen) statement. Previously, Feige et al. [FLS99]showed how to generically compile a single-theorem NIZK into a multi-theorem NIZK using a PRG.This transformation also applies in the designated-verifier setting [QRW19, CH19, KNYY19a]. Onelimitation of the [FLS99] transformation is that it requires making non-black-box use of a PRG.The constructions we present in this work directly achieve multi-theorem zero-knowledge withoutneeding to go through the [FLS99] transformation. As such, our constructions do not require makingnon-black-box use of any cryptographic primitives.
Malicious DV-NIZKs. We also consider the notion of a malicious designated-verifier NIZK(MDV-NIZK) from [QRW19] where zero-knowledge holds even when the public key pk is chosenmaliciously. In this case, the only trusted setup that we require is generating the common referencestring (or, in some cases, a common random string), which can be reused by many verifiers.
Definition 2.13 (Malicious Designated-Verifier NIZKs [QRW19]). Let ΠdvNIZK = (Setup,KeyGen,Prove,Verify) be a DV-NIZK for a language L. We say that ΠdvNIZK satisfies statistical zero-knowledgeagainst malicious verifiers if for all polynomials q = q(λ) and all unbounded adversaries A makingat most q verification queries, there exists an efficient simulator S = (S1,S2) such that∣∣∣Pr[ExptReal[A,S](1λ)]− Pr[ExptSim[A,S](1λ)]
∣∣∣ = negl(λ),
where the two experiments ExptReal[A,S](1λ) and ExptSim[A,S](1λ) proceed as follows:
• Setup phase: In ExptReal, the challenger samples crs ← Setup(1λ) and gives crs to A. InExptSim, the challenger samples (stS , crs)← S1(1λ) and gives crs to A. The adversary replieswith a public key pk.
• Query phase: Algorithm A is then given access to a verification oracle, and is allowed tomake up to q queries to the oracle. On an input (x,w), the challenger replies with ⊥ ifR(x,w) 6= 1. Otherwise, in ExptReal, the challenger replies with π ← Prove(crs, pk, x, w) whilein ExptSim, the challenger replies with π ← S2(stS , pk, x).
• Output phase: At the end of the experiment, the adversary outputs a bit b′ ∈ {0, 1}, whichis the output of the experiment.
Correspondingly, we can define the analogous notion of computational zero-knowledge againstmalicious verifiers by only requiring the above property to hold against computationally-boundedadversaries. If ΠdvNIZK provides zero-knowledge against malicious verifiers, we say it is a malicious-designated-verifier NIZK (MDV-NIZK).
15
Dual-mode DV-NIZKs. Next, we recall the formal definition of a dual-mode (DV)-NIZK [GOS06,GOS12].
Definition 2.14 (Dual-Mode Designated-Verifier NIZK). A dual-mode DV-NIZK ΠdvNIZK = (Setup,KeyGen,Prove,Verify) is a DV-NIZK with the following additional properties:
• Dual-mode: The Setup algorithm takes an additional argument mode ∈ {binding, hiding},and outputs a common reference string crs.
• CRS indistinguishability: The common reference string output by the two modes arecomputationally indistinguishable:
Setup(1λ, binding)c≈ Setup(1λ, hiding).
• Statistical soundness in binding mode: If crs← Setup(1λ, binding), the designated-verifierNIZK satisfies statistical soundness.
• Statistical zero-knowledge in hiding mode: If crs ← Setup(1λ, hiding), the designated-verifier NIZK satisfies statistical zero-knowledge.
We define a dual mode MDV-NIZK analogously by requiring the stronger property of statisticalzero-knowledge against malicious verifiers in hiding mode.
Remark 2.15 (Dual-Mode Designated-Verifier NIZKs). Let ΠdvNIZK = (Setup,KeyGen,Prove,Verify) be a dual-mode DV-NIZK for a language L ⊆ {0, 1}n. Then, the following properties hold:
• When the CRS is generated in binding mode, ΠdvNIZK satisfies statistical soundness andcomputational zero-knowledge (i.e., ΠdvNIZK is a “computational DV-NIZK proof”).
• When the CRS is generated in hiding mode, ΠdvNIZK satisfies non-adaptive computationalsoundness and statistical zero-knowledge (i.e., ΠdvNIZK is a “statistical DV-NIZK argument”).
• If ΠdvNIZK is a dual-mode MDV-NIZK, then the zero-knowledge properties in each of the aboveinstantiations also hold against malicious verifiers.
The first two properties follow from CRS indistinguishability and the corresponding statisticalproperties of ΠdvNIZK in the two modes. Note though that even if ΠdvNIZK satisfies adaptive soundnessin binding mode, we do not know how to argue adaptive soundness for ΠdvNIZK in hiding mode. Ata high-level, this is because in the definition of adaptive soundness, checking whether the adversarysucceeded or not requires deciding whether the statement x output by the adversary is contained inthe language L or not. Unless NP ⊆ P/poly, this is not an efficiently-checkable property in general,and as such, we are not able to directly argue adaptive soundness of the construction. We referto [AF07] for more discussion on the challenges of using black-box reductions to argue adaptivesoundness for statistical NIZK arguments.
Remark 2.16 (Adaptive Soundness via Complexity Leveraging). Using complexity leveraging [BB04]and relying on a sub-exponential hardness assumption (as in [GOS06, GOS12]), we can show thatnon-adaptive soundness implies adaptive soundness. A direct application of complexity leveragingto a dual-mode NIZK yields an adaptively-sound statistical NIZK argument for proving statementsof a priori bounded length n = n(λ). Using the method from [QRW19, §7] (see also Remark 6.5),we can also obtain adaptive soundness for statements with arbitrary polynomial length, but still atthe expense of a subexponential hardness assumption.
16
3 Dual-Mode Hidden-Bits Generators and Dual-Mode DV-NIZKs
In this section, we formally define a dual-mode hidden-bits generator. Our definition extends thenotion of a hidden-bits generator from [QRW19] (and the similar notion of a designated-verifierPRG from [CH19]). Our definition differs from that in [QRW19] in the following respects:
• Dual mode: We require that the common reference string for the hidden-bits generator canbe generated in two computationally indistinguishable modes: a binding mode where thecommitment statistically binds to a sequence of hidden bits, and a hiding mode where thecommitment (and the openings to any subset of the bits) statistically hide the remaining bits.
• Statistical simulation in hiding mode. Minimally, our hiding property requires that thecommitment and openings to any subset of the bits output by the HBG statistically hidethe unopened bits. Here, we require an even stronger simulation property where there is anefficient simulator that can simulate the commitment and openings to any (random) string,given only the values of the opened bits. Moreover, we allow the adversary to adaptively choosethe subset of bits for which it wants to see openings, and we also allow multiple interactionswith the simulator. This strong simulation property enables us to directly argue adaptive andmulti-theorem statistical zero-knowledge for our NIZK constructions (Section 3.1).7
Definition 3.1 (Dual-Mode Hidden-Bits Generator). Let λ be a security parameter and ρ bethe output length. Let ` = `(λ, ρ) be a polynomial. A dual-mode (designated-verifier) hidden-bits generator (HBG) with commitments of length ` consists of a tuple of efficient algorithmsΠHBG = (Setup,KeyGen,GenBits,Verify) with the following properties:
• Setup(1λ, 1ρ,mode) → crs: On input the security parameter λ, a length ρ, and a modemode ∈ {binding, hiding}, the setup algorithm outputs a common reference string crs.
• KeyGen(crs)→ (pk, sk): On input a common reference string crs, the key-generation algorithmoutputs a public key pk and a secret key sk.
• GenBits(crs, pk)→ (σ, r, {πi}i∈[ρ]): On input a common reference string crs and a public key
pk, the bit-generation algorithm outputs a commitment σ ∈ {0, 1}`, a string r ∈ {0, 1}ρ, anda collection of proofs πi for i ∈ [ρ].
• Verify(crs, sk, σ, i, ri, πi)→ {0, 1}: On input a common reference string crs, a secret key sk, acommitment σ ∈ {0, 1}`, an index i ∈ [ρ], a bit ri ∈ {0, 1}, and a proof πi, the verificationalgorithm outputs a bit b ∈ {0, 1}.
In addition, we require that ΠHBG satisfy the following properties:
• Correctness: For all integers λ ∈ N, and all polynomials ρ = ρ(λ), all indices i ∈ [ρ] andboth modes mode ∈ {binding, hiding}, and sampling crs ← Setup(1λ, 1ρ,mode), (pk, sk) ←KeyGen(crs), and (σ, r, {πi}i∈[ρ])← GenBits(crs, pk), we have
Pr[Verify(crs, sk, σ, i, ri, πi) = 1] = 1.
7The previous notion from [QRW19] was only sufficient for single-theorem non-adaptive computational zero-knowledge.Extending to adaptive multi-theorem computational zero-knowledge required imposing additional properties on theunderlying NIZK in the hidden-bits model as well as making non-black-box use of cryptographic primitives [FLS99].
17
• Succinctness: The length ` of the commitment depends only on the security parameter andnot the length of the output: namely, ` = poly(λ).8
• CRS indistinguishability: For all polynomials ρ = ρ(λ), we have that
Setup(1λ, 1ρ, binding)c≈ Setup(1λ, 1ρ, hiding).
• Statistically binding in binding mode: There exists a (possibly inefficient) deterministicalgorithm Open(crs, σ) such that for all polynomials ρ = ρ(λ) and q = q(λ) and all unboundedadversaries A making up to q oracle queries, and sampling crs ← Setup(1λ, 1ρ, binding),(pk, sk) ← KeyGen(crs), (σ∗, i∗, r∗, π∗) ← AVerify(crs,sk,·,·,·,·)(1λ, 1ρ, crs, pk), r ← Open(crs, σ∗),we have that
Pr[ri∗ 6= r∗ ∧ Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1] = negl(λ).
• Statistical simulation in hiding mode: For all polynomials ρ = ρ(λ), q = q(λ), and allunbounded adversaries A making up to q queries, there exists an efficient simulator S = (S1,S2)such that∣∣Pr[ExptHide[A,S, 0](1λ, 1ρ) = 1] − Pr[ExptHide[A,S, 1](1λ, 1ρ) = 1]
∣∣ = negl(λ), (3.1)
where for a bit b ∈ {0, 1}, the hiding experiment ExptHide[A,S, b](1λ, 1ρ) is defined as follows:
– Setup phase: If b = 0, the challenger samples crs← Setup(1λ, 1ρ, hiding) and (pk, sk)←KeyGen(crs), and gives (crs, pk, sk) to A. If b = 1, it samples (stS , crs, pk, sk)← S1(1λ, 1ρ)
and gives (crs, pk, sk) to A.
– Query phase: The adversary A can now make up to q challenge queries. On each query,the challenger responds as follows:
∗ If b = 0, the challenger computes (σ, r, {πi}i∈[ρ]) ← GenBits(crs, pk) and gives r to
the adversary. If b = 1, the challenger responds with rr← {0, 1}ρ.
∗ The adversary specifies a subset I ⊆ [ρ].
∗ If b = 0, then the challenger replies with the pair (σ, {πi}i∈[I]) it sampled above. Ifb = 1, the challenger replies to A with (σ, {πi}i∈I)← S2(stS , I, rI).
– Output phase: At the end of the experiment, the adversary outputs a bit b ∈ {0, 1},which is the output of the experiment.
When the difference in Eq. (3.1) is identically zero, we say that ΠHBG satisfies perfect simulationin hiding mode.
Definition 3.2 (Publicly-Verifiable Dual-Mode HBG). A dual-mode HBG ΠHBG is publicly-verifiableif the secret key sk output by KeyGen is empty. In this case, we can combine the Setup algorithmand the KeyGen algorithm into a single algorithm that just outputs the crs, and there is no notionof separate public/secret keys pk and sk. The GenBits and Verify algorithms just take crs as input.We define all of the other properties analogously. In the publicly-verifiable setting, we do not needto provide the verification oracle to the adversary in the statistical binding security definition.8We remark that this is a stronger requirement than the corresponding requirement in [QRW19], which also allows `to scale sublinearly with ρ. We use this definition because it is conceptually simpler and all of our constructionssatisfy this stronger property.
18
Definition 3.3 (Statistical Simulation for Malicious Keys). Let ΠHBG = (Setup,KeyGen,GenBits,Verify) be a hidden-bits generator. We say that ΠHBG satisfies statistical simulation for maliciouskeys if ΠHBG satisfies the following stronger simulation property (where the adversary chooses thepublic key pk) in hiding mode:
• Statistical simulation for malicious keys: For all polynomials ρ = ρ(λ), q = q(λ), and allunbounded adversaries A making up to q queries, there exists an efficient simulator S = (S1,S2)such that∣∣Pr[ExptHide∗[A,S, 0](1λ, 1ρ) = 1] − Pr[ExptHide∗[A,S, 1](1λ, 1ρ) = 1]
∣∣ = negl(λ),
where for a bit b ∈ {0, 1}, the hiding experiment ExptHide∗[A,S, b](1λ, 1ρ) is defined to beExptHide[A,S, b](1λ, 1ρ) with the following differences:
– Setup phase: If b = 0, the challenger samples crs← Setup(1λ, 1ρ, hiding) and gives crsto A. If b = 1, the challenger samples (stS , crs) ← S1(1λ, 1ρ) and gives crs to A. Theadversary then chooses a public key pk.
– Query phase: Same as in ExptHide[A,S, b], except when b = 1, the challenger alsoprovides the (adversarially-chosen) public key pk to the simulator. In other words, whenb = 1, the challenger’s reply to A is computed as (σ, {πi}i∈I)← S2(stS , pk, I, rI).
– Output phase: Same as in ExptHide[A,S, b].
3.1 Dual-Mode DV-NIZK from Dual-Mode HBG
In this section, we give our construction of a dual-mode designated-verifier NIZK from a dual-modedesignated-verifier HBG and a NIZK in the hidden-bits model. Our generic construction is essentiallythe same as the corresponding construction from [QRW19]. We do rely on a different argumentto show adaptive, multi-theorem statistical zero-knowledge, and in particular, we appeal to thestatistical simulation property of our dual-mode HBG that we introduced in Definition 3.1.
Construction 3.4 (Dual-Mode DV-NIZK from Dual-Mode HBG). Let L ⊆ {0, 1}n be an NPlanguage with associated NP relation R. We rely on the following building blocks:
• Let ΠHBM = (HBM.Prove,HBM.Verify) be a NIZK in the hidden-bits model for L, and letρ = ρ(λ) be the length of the hidden-bits string for ΠHBM.
• Let ΠHBG = (HBG.Setup,HBG.KeyGen,HBG.GenBits,HBG.Verify) be a hidden-bits generatorwith commitments of length ` = `(λ, ρ), where λ is the security parameter and ρ is the outputlength of the generator.
We construct a dual-mode DV-NIZK ΠdvNIZK = (Setup,KeyGen,Prove,Verify) for L as follows:
• Setup(1λ,mode)→ crs: On input λ and mode ∈ {binding, hiding}, sample sr← {0, 1}ρ. Then,
run crsHBG ← HBG.Setup(1λ, 1ρ,mode), and output crs = (λ, s, crsHBG).
• KeyGen(crs) → (pk, sk): On input crs = (λ, s, crsHBG), the key-generation algorithm runs(pkHBG, skHBG)← HBG.KeyGen(crsHBG) and outputs pk = pkHBG and sk = skHBG.
19
• Prove(crs, pk, x, w) → π: On input crs = (λ, s, crsHBG), pk = pkHBG, x ∈ {0, 1}n, and w,compute a hidden-bits string (σ, r, {πHBG,i}i∈[ρ])← HBG.GenBits(crsHBG, pkHBG), and an HBM
proof (I, πHBM)← HBM.Prove(1λ, r ⊕ s, x, w). Output π = (σ, I, rI , {πHBG,i}i∈I , πHBM).
• Verify(crs, sk, x, π): On input crs = (λ, s, crsHBG), sk = skHBG, x ∈ {0, 1}n, and the proofπ = (σ, I, rI , {πHBG,i}i∈I , πHBM), output 1 if HBM.Verify(1λ, I, rI ⊕ sI , x, πHBM) = 1 andHBG.Verify(crsHBG, skHBG, σ, i, ri, πHBG,i) = 1 for all i ∈ I. Otherwise, output 0.
Theorem 3.5 (Completeness). If ΠHBM is complete and ΠHBG is correct, then ΠdvNIZK fromConstruction 3.4 is complete.
Proof. Take any mode ∈ {binding, hiding}, and sample crs← Setup(1λ,mode), (pk, sk)← KeyGen(crs).Here, crs = (λ, s, crsHBG), pk = pkHBG, and sk = skHBG. Take any statement (x,w) ∈ R, andlet π ← Prove(crs, pk, x, w). Then π = (σ, I, rI , {πHBG,i}i∈I , πHBM). Consider the behavior ofVerify(crs, sk, x, π). By correctness of ΠHBG, HBG.Verify(crsHBG, skHBG, σ, i, ri, πHBG,i) = 1 for alli ∈ I. By completeness of ΠHBM, HBM.Verify(1λ, I, rI ⊕ sI , x, w) = 1, and the verifier accepts.
Theorem 3.6 (CRS Indistinguishability). If ΠHBG satisfies CRS indistinguishability, then ΠdvNIZK
from Construction 3.4 satisfies CRS indistinguishability.
Proof. The CRS in Construction 3.4 consists of a tuple (λ, s, crsHBG). In both modes, the first twocomponents are identically distributed, and crsHBG is computationally indistinguishable by CRSindistinguishability of ΠHBG.
Theorem 3.7 (Statistical Soundness in Binding Mode). If ΠHBM is statistically sound with soundnesserror ε(λ), ΠHBG is statistically binding in binding mode, and 2` · ε = negl(λ) then ΠdvNIZK fromConstruction 3.4 satisfies adaptive statistical soundness.
The proof of Theorem 3.7 is very similar to the corresponding proof of adaptive statistical soundnessfrom [QRW19]. We include it in Appendix A.
Theorem 3.8 (Statistical Zero-Knowledge in Hiding Mode). If ΠHBM satisfies statistical (resp.,perfect) zero-knowledge and ΠHBG provides statistical (resp., perfect) simulation in hiding mode, thenΠdvNIZK from Construction 3.4 satisfies statistical (resp., perfect) zero-knowledge in hiding mode.
Proof. Let SHBM denote the zero-knowledge simulator for ΠHBM and SHBG = (SHBG,1,SHBG,2) bethe simulator for ΠHBG in hiding mode. We construct a simulator S = (S1,S2) as follows:
• S1(1λ) → (stS , crs, pk, sk): Run (stHBG, crsHBG, pkHBG, skHBG) ← SHBG,1(1λ, 1ρ). Choose sr←
{0, 1}ρ and set stS = stHBG, crs = (λ, s, crsHBG), pk = pkHBG, and sk = skHBG. Output
(stS , crs, pk, sk).
• S2(stS , x) → π: On input stS = stHBG and x ∈ {0, 1}n, run (I , rI, πHBM) ← SHBM(1λ, x)
and (σ, {πHBG,i}i∈I)← SHBG,2(stHBG, I, rI ⊕ sI). Output the simulated proof π = (σ, I, rI⊕
sI, {πHBG,i}i∈I , πHBM).
To complete the proof, we proceed via a hybrid argument:
20
• Hyb0: This is the real distribution. Namely, the challenger begins by sampling crs← Setup(1λ)and (pk, sk)← KeyGen(crs), and gives (crs, pk, sk) to the adversary. The challenger respondsto oracle queries on inputs (x,w) with π ← Prove(crs, pk, x, w) if R(x,w) = 1 and with ⊥otherwise.
In more detail, the challenger samples sr← {0, 1}ρ and runs crsHBG ← HBG.Setup(1λ, 1ρ, hiding),
and (pkHBG, skHBG) ← HBG.KeyGen(crsHBG). It sets crs = (λ, s, crsHBG), pk = pkHBG, andsk = skHBG. When the adversary makes an oracle query on (x,w) where R(x,w) = 1,the challenger computes (σ, r, {πHBG,i}i∈[ρ])← HBG.GenBits(crsHBG, pkHBG) and (I, πHBM)←HBM.Prove(1λ, r ⊕ s, x, w). It outputs π = (σ, I, rI , {πHBG,i}i∈I , πHBM).
• Hyb1: Same as Hyb0, except the challenger uses SHBG,1 to generate the common referencestring and public/secret keys. It uses SHBG,2 to simulate the openings to the hidden-bitsgenerator when responding to oracle queries. Specifically, the challenger works as follows:
1. At the start of the game, the challenger runs (stHBG, crsHBG, pkHBG, skHBG)← SHBG,1(1λ, 1ρ).
It samples sr← {0, 1}ρ and gives crs = (λ, s, crsHBG), pk = pkHBG, and sk = skHBG to the
adversary.
2. Whenever the adversary makes an oracle query (x,w) where R(x,w) = 0, the chal-
lenger replies with ⊥. Otherwise, it samples rr← {0, 1}ρ and runs (I, πHBM) ←
HBM.Prove(1λ, r ⊕ s, x, w). Then, it samples (σ, {πHBG,i}i∈I) ← SHBG,2(stHBG, I, rI),and finally outputs the proof π = (σ, I, rI , {πHBG,i}i∈I , πHBM).
• Hyb2: Same as Hyb1, except when responding to oracle queries, the challenger uses thesimulator for the hidden-bits model NIZK to simulate the proofs. More precisely, on input(x,w) where R(x,w) = 1, the challenger computes (I , r′
I, πHBM) ← SHBM(1λ, x). It sets
rI
= r′I⊕ s
I, and computes (σ, {πHBG,i}i∈I) ← SHBG,2(stHBG, I, rI) and outputs the proof
π = (σ, I, rI, {πHBG,i}i∈I , πHBM). This is the simulated distribution (up to interchanging the
labels rI
and r′I).
For an adversary A, we write Hybi(A) to denote the output distribution of Hybi with adversaryA. We now show that the output distributions of each adjacent pair of hybrid experiments arestatistically indistinguishable.
Lemma 3.9. If ΠHBG satisfies statistical (resp., perfect) simulation in hiding mode, then the outputdistributions of Hyb0 and Hyb1 are statistically (resp., perfectly) indistinguishable.
Proof. Suppose there exists an adversary A such that |Pr[Hyb0(A) = 1]− Pr[Hyb1(A) = 1]| = ε forsome non-negligible ε. We use A to construct an adversary B such that ExptHide[B,SHBG, 0] andExptHide[B,SHBG, 1] are distinguishable (with the same advantage ε). Algorithm B works as follows:
• First, algorithm B receives a tuple (crsHBG, pkHBG, skHBG) from the challenger. It samples
sr← {0, 1}ρ, and gives crs = (λ, s, crsHBG), pk = pkHBG, and sk = skHBG to A.
• When A makes a query on (x,w), if R(x,w) = 0, algorithm B responds with ⊥. Otherwise,B makes a challenge query to its challenger to obtain a string r ∈ {0, 1}ρ. AlgorithmB computes (I, πHBM) ← HBM.Prove(1λ, r ⊕ s, x, w) and gives I ⊆ [ρ] to the challenger.
21
The challenger replies with a pair (σ, {πHBG,i}i∈I). Finally, B replies to A with the proofπ = (σ, I, rI , {πHBG,i}i∈I , πHBM).
• At the end of the game, B outputs whatever A outputs.
By construction, if the challenger generates the parameters and answers the queries accordingto ExptHide[B,SHBG, 0], then B perfectly simulates Hyb0 for A. Alternatively, if the challengerimplements the logic according to ExptHide[B,SHBG, 1], then B perfectly simulates Hyb1 for A.
Lemma 3.10. If ΠHBM satisfies statistical (resp., perfect) zero-knowledge, then the output distribu-tions of Hyb1 and Hyb2 are statistically (resp., perfectly) indistinguishable.
Proof. We define a sequence of q + 1 intermediate hybrid experiments Hyb1,0, . . . ,Hyb1,q, whereq = poly(λ) is a bound on the number of queries the adversary makes. Hybrid Hyb1,i is theexperiment where the first i oracle queries are handled according to the procedure in Hyb2 and theremaining queries are handled according to the procedure in Hyb1. By construction Hyb1,0 ≡ Hyb1and Hyb1,q ≡ Hyb2. Moreover, each adjacent pair of hybrid experiments Hyb1,i−1 and Hyb1,ionly differ in how the ith oracle query (x,w) is handled. In Hyb1,i−1, the challenger samples a
random rr← {0, 1}ρ and computes (I, πHBM) ← HBM.Prove(1λ, r ⊕ s, x, w) while in Hyb1,i, the
challenger invokes the simulator (I , r′I, πHBM) ← SHBM(1λ, x). By statistical zero-knowledge of
ΠHBM, we have that (I, rI ⊕ sI , πHBM)s≈ (I , r′
I, πHBM). If ΠHBM satisfies perfect zero-knowledge,
then these two distributions are identically distributed. Correspondingly, hybrids Hyb1,i−1 andHyb1,i are statistically indistinguishable (or identically distributed if ΠHBM satisfies perfect zero-knowledge). Since q = poly(λ), we conclude by a hybrid argument that the outputs of Hyb2and Hyb3 are statistically indistinguishable (or identically distributed if ΠHBM satisfies perfectzero-knowledge).
Since each consecutive pair of hybrid experiments is statistically indistinguishable (or identicallydistributed), the claim follows.
Theorem 3.11 (Statistical Zero-Knowledge against Malicious Verifiers). If ΠHBM satisfies statisticalzero-knowledge and ΠHBG provides statistical simulation for malicious keys, then Construction 3.4is a MDV-NIZK. Namely, Construction 3.4 satisfies statistical zero-knowledge against maliciousverifiers in hiding mode.
The proof of Theorem 3.11 follows from a similar argument as Theorem 3.8 and is included inAppendix A.
4 Dual-Mode HBGs from the k-Lin Assumption
In this section, we show how to construct dual-mode hidden-bits generators from the k-Lin assumption.We begin with a basic construction from the k-Lin assumption (Section 4.1) and then show how toextend it to achieve public verifiability in a pairing group (Section 4.2) as well as how to achievesecurity against malicious verifiers in a pairing-free group (Section 4.3).
22
4.1 Dual-Mode Hidden-Bits Generator from k-Lin
In this section, we show how to construct a dual-mode hidden-bits generator from the k-linear(k-Lin) assumption [BBS04, HK07, Sha07, EHK+13] over pairing-free groups for any k ≥ 1. We notethat the 1-Lin assumption is precisely the decisional Diffie-Hellman (DDH) assumption. We beginby recalling some basic notation as well as the k-Lin assumption.
Notation. Throughout this section, we will work with cyclic groups G of prime order p. We willuse multiplicative notation to denote the group operation. For x ∈ Zp, we often refer to gx asan “encoding” of x. For a matrix A ∈ Zn×mp , we write gA ∈ Gn×m to denote the matrix of groupelements formed by taking the element-wise encoding of each component of A.
Definition 4.1 (Prime-Order Group Generator). A prime-order group generator algorithm GroupGenis an efficient algorithm that on input the security parameter 1λ outputs a description G = (G, p, g)of a prime-order group G with order p and generator g. Throughout this work, we will assume that1/p = negl(λ).
Definition 4.2 (k-Linear Assumption [BBS04, HK07, Sha07, EHK+13]). Fix a constant k ≥ 1. Wesay that a prime-order group generator GroupGen satisfies the k-Lin assumption if for all efficientadversaries A and sampling G = (G, p, g) ← GroupGen(1λ), a
r← Zkp, wr← Zk+1
p , and ur← Zkp, we
have that ∣∣Pr[A(G, gA, gAw) = 1]− Pr[A(G, gA, gu) = 1]∣∣ = negl(λ),
where
A =
(diag(a)
1T
)∈ Z(k+1)×k
p , (4.1)
and diag(a) ∈ Zk×kp denotes the diagonal matrix whose entries are a1, . . . , ak, and 1 ∈ Zk+1p is the
all-ones vector.
Construction 4.3 (Dual-Mode Hidden-Bits Generator from k-Lin). Let GroupGen be a prime-ordergroup generator algorithm. We construct a dual-mode hidden-bits generator (HBG) as follows:
• Setup(1λ, 1ρ,mode)→ crs: First, the setup algorithm samples G = (G, p, g)← GroupGen(1λ)
and a hash function Hr← H, where H is a family of hash functions with domain G and range
{0, 1}. Next, it samples Vr← Z(ρ+k)×k
p and vectors w1, . . . ,wρ ∈ Zρ+kp as follows:
– If mode = hiding, sample wir← Zρ+kp for all i ∈ [ρ].
– If mode = binding, sample sir← Zkp and set wi ← Vsi for all i ∈ [ρ].
Output crs = (G, H, gV, gw1 , . . . , gwρ).
• KeyGen(crs)→ (pk, sk): On input crs = (G, H, gV, gw1 , . . . , gwρ), the key-generation algorithm
samples ar← Zp and b1, . . . ,bρ
r← Zkp. For each i ∈ [ρ], it sets zi ← wia + Vbi ∈ Zρ+kp . Itoutputs
pk = (gz1 , . . . , gzρ) and sk = (a,b1, . . . ,bρ).
23
• GenBits(crs, pk) → (σ, r, {πi}i∈[ρ]): On input crs = (G, H, gV, gw1 , . . . , gwρ) and public key
pk = (gz1 , . . . , gzρ), sample yr← Zρ+kp and compute for each i ∈ [ρ],
gti ← gyTwi and gui ← gy
Tzi .
Next, let σ = gyTV. For each i ∈ [ρ], set ri ← H(gti) and πi ← (gti , gui), and output σ, r, and
{πi}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs = (G, H, gV, gw1 , . . . , gwρ), secret key sk = (a,b1, . . . ,bρ),
σ = gcT, i ∈ [ρ], ri ∈ {0, 1}, and πi = (gti , gui), output 1 if gui = (gtia)(gc
Tbi) and ri = H(gti).Otherwise, output 0.
Correctness and security analysis. We now state the correctness and security theorems forConstruction 4.3 and give the proofs in Appendix C.1.
Theorem 4.4 (Correctness). Construction 4.3 is correct.
Theorem 4.5 (Succinctness). Construction 4.3 is succinct.
Theorem 4.6 (CRS Indistinguishability). Suppose the k-Lin assumption holds for GroupGen. Then,Construction 3.4 satisfies CRS indistinguishability.
Theorem 4.7 (Statistical Binding in Binding Mode). Construction 4.3 satisfies statistical bindingin binding mode.
Theorem 4.8 (Statistical Simulation in Hiding Mode). If H satisfies statistical uniformity, thenConstruction 4.3 satisfies statistical simulation in hiding mode.
Remark 4.9 (Common Random String in Hiding Mode). Construction 4.3 has the property that inhiding mode, the CRS is a collection of uniformly random group elements; in other words, the CRSin hiding mode can be sampled as a common random string. In conjunction with Construction 3.4,we obtain a statistical NIZK argument in the common random string model (and a computationalNIZK proof in the common reference string model).
4.2 Publicly-Verifiable Hidden-Bit Generators from Pairings
In this section, we describe a variant of our dual-mode hidden-bits generator from Section 4.1 toobtain a publicly-verifiable hidden-bits generator from pairings. Our resulting construction doesnot give a dual-mode hidden-bits generator. Instead, we obtain a standard HBG (where there is asingle mode) that satisfies statistical simulation and computational binding. Using an analog ofConstruction 3.4, this suffices to construct a publicly-verifiable statistical NIZK argument. We referto Appendix B for the details. Below, we define the computational binding property we use:
Definition 4.10 (Computational Binding). A publicly-verifiable hidden bits generator ΠHBG =(Setup,GenBits,Verify) is computationally binding if the following property holds:
• Computational binding: There exists an efficient extractor E = (E1, E2), where E2 isdeterministic, and for all polynomials ρ = ρ(λ), the following two properties hold:
24
– CRS indistinguishability: The following distributions are computationally indistin-guishable:
{Setup(1λ, 1ρ)}c≈ {(stE , crs)← E1(1λ, 1ρ) : crs}.
– Binding: For all efficient adversaries A, and sampling (stE , crs)← E1(1λ, 1ρ) followed by(σ∗, i∗, r∗, π∗)← A(1λ, 1ρ, crs) and r ← E2(stE , σ∗), we have that
Pr[ri∗ 6= r∗ ∧ Verify(crs, σ∗, i∗, r∗, π∗) = 1] = negl(λ).
Pairing groups. In this section, we work in (asymmetric) pairing groups. We review the notionof a pairing below, as well as the kernel k-linear (k-KerLin) assumption [MRV15, KW15], whichcan be viewed as a search version of the k-linear assumption. As shown in [KW15], the k-KerLinassumption is weaker than the k-Lin assumption (in particular, k-Lin implies k-KerLin), but strongerthan the CDH assumption.
Definition 4.11 (Prime-Order Pairing-Group Generator). A prime-order (asymmetric) pairinggroup generator algorithm PairingGroupGen is an efficient algorithm that on input the securityparameter 1λ outputs a description G = (G1,G2,GT , p, g1, g2, e) of two base groups G1 (generatedby g1), G2 (generated by g2), and a target group GT , all of prime order p, together with anefficiently-computable mapping e : G1 ×G2 → GT (called the “pairing”). Finally, the mapping e isbilinear: for all x, y ∈ Zp, e(gx1 , g
y2) = e(g1, g2)
xy.
Definition 4.12 (Kernel k-Linear Assumption [MRV15, KW15]). The kernel k-linear (k-KerLin)assumption holds in G2 relative to a pairing-group generator PairingGroupGen if for all efficientadversaries A, and sampling G = (G1,G2,GT , p, g1, g2, e) ← PairingGroupGen(1λ), a
r← Zkp, and
defining A ∈ Z(k+1)×kp as in Eq. (4.1), the following holds:
Pr[gcT
1 ← A(G, gA2 ) : cTA = 0 ∧ c 6= 0] = negl(λ).
We can define an analogous assumption over G1 (by interchanging the roles of G1 and G2 above).
Notation. For a matrix A, we continue to write gA1 and gA2 to denote matrices of group elements(over G1 and G2, respectively). In addition, if we have two matrices A ∈ Zm×` and B ∈ Z`×n, wewrite e(gA1 , g
B2 ) to denote the operation that outputs e(g1, g2)AB ∈ Gm×n
T . In particular, the (i, j)th
entry of e(gA1 , gB2 ) is computed as[
e(gA1 , gB2 )]i,j
=∏k∈[`]
e(gai,k1 , g
bk,j2 ).
Construction 4.13 (Publicly-Verifiable Hidden-Bits Generator from Pairings). Let PairingGroupGenbe a prime-order bilinear group generator algorithm. We construct a publicly-verifiable hidden-bitsgenerator (HBG) as follow:
• Setup(1λ, 1ρ)→ crs: The setup algorithm starts by sampling G = (G1,G2,GT , p, g1, g2, e)←PairingGroupGen(1λ) and a hash function H
r← H where H is a family of hash functions with
domain G1 and range {0, 1}. Next, it samples a matrix Vr← Z(ρ+k)×k
p , vectors w1, . . . ,wkr←
25
Zρ+kp , and verification components ar← Zk+1
p , B1, . . . ,Bρr← Zk×(k+1)
p . In addition, it samples
dr← Zkp, and constructs the matrix
D =
(diag(d)
1T
)∈ Z(k+1)×k
p . (4.2)
It computes aT ← aTD ∈ Zkp, and for each i ∈ [ρ], it computes Zi ← wiaT + VBi ∈
Z(ρ+k)×(k+1)p and Bi ← BiD ∈ Zk×kp . It outputs
crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
).
• GenBits(crs)→ (σ, r, {πi}i∈[k]): On input crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
), sample
yr← Zρ+kp , and compute for each i ∈ [ρ],
gti1 ← gyTwi
1 and guTi
1 ← gyTZi
1 .
Next, let σ = gyTV
1 , and for each i ∈ [ρ], set ri ← H(gti1 ) and πi = (gti1 , guTi
1 ). Output σ, r, and{πi}i∈[ρ].
• Verify(crs, σ, i, ri, πi): On input crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
), σ = gc
T
1 , i ∈ [ρ],
ri ∈ {0, 1}, and πi = (gti1 , guTi
1 ), output 1 if
e(gti1 , gaT
2 ) · e(gcT1 , gBi2 ) = e(guTi
1 , gD2 ) (4.3)
and ri = H(gti1 ). If either check fails, output 0.
Correctness and security analysis. We now state the correctness and security theorems forConstruction 4.13 and provide the proofs in Appendix C.2.
Theorem 4.14 (Correctness). Construction 4.13 is correct.
Theorem 4.15 (Succinctness). Construction 4.13 is succinct.
Theorem 4.16 (Computational Binding). Suppose PairingGroupGen outputs groups (G1,G2,GT )such that the k-Lin assumption holds in G1 and the k-KerLin assumption holds in G2. Then,Construction 4.13 satisfies computational binding in binding mode.
Theorem 4.17 (Statistical Simulation). If H satisfies statistical uniformity, then Construction 4.13satisfies statistical simulation.
4.3 Dual-Mode Hidden-Bits Generator with Malicious Security from k-Lin
We now show how to modify the k-Lin construction from Section 4.1 (Construction 4.3) to obtain ahidden-bits generator with security against malicious verifiers. Combined with Construction 3.4, thisyields a dual-mode MDV-NIZK (Theorem 3.11). We refer to Section 1.2 for a high-level descriptionof our approach.
26
Construction 4.18 (Dual-Mode HBG with Malicious Security from k-Lin). Let ρ be the outputlength of the hidden-bits generator. We require the following primitives:
• Let GroupGen be a prime-order group generator algorithm.
• Let ` = 3ρλ and define Tλ,` := {S ⊆ [`] : |S| = λ} to be the set of all subsets of [`] that
contains exactly λ elements. Let G : {0, 1}κ → T ρλ,`×Zρ`p be a PRG with seed length κ = κ(λ).
Here, p is the order of the group G output by GroupGen (on input 1λ).
Constructing the PRG G. It is straightforward to construct a PRG with outputs inT ρλ,` × Zρ`p from a PRG with outputs in {0, 1}ρλ`(1+dlog pe). To see this, it suffices to give an
efficient algorithm that maps from the uniform distribution on {0, 1}λ`(1+dlog pe) to a distributionthat is statistically close to uniform over Tλ,` × Z`p. Take a string γ ∈ {0, 1}λ`(1+dlog pe).
– The first λ` bits of γ are interpreted as ` blocks of λ-bit indices i1, . . . , i` ∈ {0, 1}λ.These indices specify the set S ⊆ Tλ,` as follows. First, take S0 ← [`]. For each j ∈ [λ],take sj to be the (ij mod |Sj−1|)th element of Sj−1 and define Sj ← Sj−1 \ {sj}. DefineS ← {s1, . . . , s`} ∈ Tλ,`.
– The remaining λ` dlog pe bits of γ are taken to be the binary representation of an`-dimensionalvector α ∈ Z`, where each component is a λ dlog pe-bit integer.
The string γ ∈ {0, 1}λ`(1+dlog pe) is mapped onto (S,α mod p) ∈ Tλ,` × Z`p. By construction,
this procedure maps from the uniform distribution over {0, 1}λ`(1+dlog pe to a distribution thatis statistically uniform over Tλ,` × Z`p.
We construct the dual-mode designated-verifier hidden-bits generator with malicious security asfollows:
• Setup(1λ, 1ρ,mode) → crs: Let `′ = ρ`. Sample G = (G, p, g) ← GroupGen(1λ) and Hr← H,
where H is a family of hash functions with domain G and range {0, 1}. Next, it samples
Vr← Z(`′+k)×k
p and vectors w1, . . . ,w`′ ∈ Z`′+kp as follows:
– If mode = hiding, sample wir← Z`′+kp for all i ∈ [`′].
– If mode = binding, sample sir← Zkp and set wi ← Vsi for all i ∈ [`′].
Output crs = (G, H, gV, gw1 , . . . , gw`′ ).
• KeyGen(crs) → (pk, sk): On input crs = (G, H, gV, gw1 , . . . , gw`′ ), sample ar← Zp and
b1, . . . ,b`′r← Zkp. For each i ∈ [`′], compute zi ← wia+ Vbi ∈ Z`′+kp and output
pk = (gz1 , . . . , gz`′ ) and sk = (a,b1, . . . ,b`′).
• GenBits(crs, pk)→ (σ, r, {πi}i∈[ρ]): On input crs = (G, H, gV, gw1 , . . . , gw`′ ) and the public key
pk = (gz1 , . . . , gz`′ ), sample yr← Z`′+kp and compute for each i ∈ [`′]
gti ← gyTwi and gui ← gy
Tzi .
27
Next, sample a PRG seed sr← {0, 1}κ and compute (S1, . . . , Sρ,α)← G(s) where Si ∈ Tλ,` for
all i ∈ [ρ] and α ∈ Zρ`p . Compute the shifted sets Si ← {j + ` · (i− 1) | j ∈ Si} for each i ∈ [ρ].Finally, compute
ri ← H
∏j∈Si
gαjtj
and πi ← {(j, gtj , guj )}j∈Si .
Output σ = (s, gyTV), r, and {πi}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs = (G, H, gV, gw1 , . . . , gw`′ ), sk = (a,b1, . . . ,b`′), σ =
(s, gcT), i ∈ [ρ], ri ∈ {0, 1}, and πi = {(j, gtj , guj )}j∈S for an implicitly-defined set S ⊆ [ρ`],
the verification algorithm performs the following checks:
– Compute (S1, . . . , Sρ,α) ← G(s) and the shifted set Si ← {j + ` · (i − 1) | j ∈ Si}. Itchecks that S = Si and outputs 0 if not.
– It checks that guj = (gtja)(gcTbj ) for all j ∈ S, and outputs 0 if not.
– It checks that ri = H(∏
j∈S gαjtj)
and outputs 0 if not.
If all checks pass, the verification algorithm outputs 1.
Correctness and security analysis. We now state the correctness and security theorems forConstruction 4.18 and provide the proofs in Appendix C.3.
Theorem 4.19 (Correctness). Construction 4.18 is correct.
Theorem 4.20 (Succinctness). Construction 4.18 is succinct.
Theorem 4.21 (CRS Indistinguishability). Suppose the k-Lin assumption holds for GroupGen.Then, Construction 4.18 satisfies CRS indistinguishability.
Theorem 4.22 (Statistical Binding in Binding Mode). Construction 4.18 satisfies statistical bindingin binding mode.
Theorem 4.23 (Statistical Simulation in Hiding Mode). If G is a secure PRG and H satisfiesstatistical uniformity, then Construction 4.18 satisfies statistical simulation in hiding mode againstmalicious verifiers.
5 Dual-Mode Hidden-Bits Generators from QR
In this section, we show how to similarly construct dual-mode hidden-bits generators from subgroup-indistinguishability-type assumptions [BG10], and specifically, from the QR and DCR assumptions.We begin in Section 5.1 with a basic construction from QR (the analog of Construction 4.3), andthen show in Section 5.2 how we can use similar techniques from Section 4.3 to obtain a dual-modehidden-bits generator with malicious security also from the QR assumption. While the constructionwith malicious security (Construction 5.9) subsumes the basic construction (Construction 5.3),we begin with the basic construction because it is both simpler to understand and contains all ofthe essential ingredients for realizing HBGs from a subgroup-indistinguishability-type assumption.Finally, in Appendix E, we show how to adapt our techniques to also obtain dual-mode HBGs fromthe DCR assumption.
28
5.1 Dual-Mode Hidden-Bits Generator from QR
In this section, we describe our construction of a dual-mode hidden-bits generator from the quadraticresiduosity (QR) assumption [GM82]. We first recall some basic notation and the QR assumption.
Notation. Our construction works with a modulus N = pq that is a product of safe primes p, q:namely, p = 2p′ + 1 and q = 2q′ + 1 for primes p′ and q′. We write JN to denote the multiplicativesubgroup of Z∗N with Jacobi symbol +1 (which has order 2p′q′) and QRN to denote the multiplicativesubgroup of quadratic residues modulo N (which has order p′q′). In the following description, weuse the fact that JN splits into two subgroups of coprime order: namely, JN = QRN ×H, whereH is the multiplicative subgroup {±1} of order 2 generated by −1. When N is a product of safeprimes, QRN is also cyclic. As such, we will write g to denote a generator of QRN and h = −1 todenote the generator of H. We will typically write elements of JN with a bar (e.g., c, t). In theanalysis, it will be more conducive to analyze the components in their respective subgroups. In thiscase, we will often express elements of JN as c = gchc ∈ JN , for exponents c ∈ Zp′q′ and c ∈ Z2.
Definition 5.1 (Sampling Safe Prime Product Modulus). A safe prime product modulus samplerSampleModulus is an efficient algorithm that on input the security parameter λ, outputs a tuple(N, p, q) where N = pq, p = 2p′ + 1, q = 2q′ + 1, for distinct primes p′, q′ where 1/p′, 1/q′ = negl(λ).
Definition 5.2 (Quadratic Residuosity Assumption [GM82]). A safe prime product samplerSampleModulus satisfies the quadratic residuosity (QR) assumption if, for any efficient adversary A,
and any sampling (N, p, q)← SampleModulus(1λ), xr← QRN , where p = 2p′ + 1 and q = 2q′ + 1,
|Pr[A(N, x) = 1]− Pr[A(N, (−1) · x) = 1]| = negl(λ).
Our QR-based construction is conceptually similar to the QR-based trapdoor hash function of[DGI+19, Section 4.3]. Like [DGI+19], it uses the predicate LEQ : JN × JN → {0, 1} that outputs1 if the bit representation of its first argument is no larger than that of its second argumentin some lexicographical ordering. In particular, for all x1, x2 ∈ JN , it will be the case thatLEQ(x1, x2) = 1− LEQ(x2, x1).
Construction 5.3 (Dual-Mode Hidden-Bits Generator from QR). Let ρ be the output length ofthe hidden-bits generator. Our QR-based dual-mode hidden-bits generator (HBG) works as follows:
• Setup(1λ, 1ρ,mode) → crs: Sample (N, p, q) ← SampleModulus(1λ), and let g be a generatorof QRN . Let h = −1 be the generator of H = {±1}. The setup algorithm then samples a
vector vr← ZρbN/2c, scalars s1, . . . , sρ
r← ZbN/2c, and sets wi ∈ Zρ2 for i ∈ [ρ] as follows:
– If mode = hiding, set wi ← ei where ei ∈ Zρ2 is the ith basis vector.
– If mode = binding, set wi ← 0.
Finally, it sample a hash function Hr← H, where H is a family of hash functions with domain
ZN and range {0, 1}λ. Output crs = (N, g, h,H, gv, gs1vhw1 , . . . , gsρvhwρ).
• KeyGen(crs) → (pk, sk): On input crs = (N, g, h,H,v,w1, . . . ,wρ), sample aτ , bτ,ir← ZbN/2c
for all τ ∈ [T ] and i ∈ [ρ], where T = 2(λ+ dlogNe). It computes and outputs the public keypk = {vbτ,iwaτ
i }τ∈[T ],i∈[ρ] and sk = {aτ , bτ,i}τ∈[T ],i∈[ρ].
29
• GenBits(crs, pk) → (σ, r, {πi}i∈[ρ]): On input crs = (N, g, h,H,v,w1, . . . ,wρ) and pk =
{zτ,i}τ∈[T ],i∈[ρ], sample yr← ZρbN/2c and compute for all τ ∈ [T ] and i ∈ [ρ]
c←∏j∈[ρ]
vyij and ti ←∏j∈[ρ]
wyji,j and uτ,i ←
∏j∈[ρ]
zyjτ,i,j .
For each i ∈ [ρ], let ui ← H(u1,i, . . . , uT,i) and ri ← LEQ(ti, tih). Output σ = c, r, andπ = {(ti, ui)}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs = (N, g, h,H,v,w1, . . . ,wρ), the verification key sk ={aτ , bτ,i}τ∈[T ],i∈[ρ], σ = c, i ∈ [ρ], ri ∈ {0, 1}, and πi = (ti, ui), output 1 if
ui = H(ta1i c
b1,i , . . . , taTi cbT,i
), (5.1)
and ri = LEQ(ti, tih). Otherwise, output 0.
The group elements that are input to algorithms KeyGen, GenBits, and Verify are assumed to beelements of the subgroup JN of Z∗N . Note that since membership in JN can be efficiently testedgiven the modulus N (by computing the Jacobi symbol), each of the algorithms will first check thiscondition, and proceed only if all of the inputs are from the correct domains. We omit this explicitcheck in the above description for ease of exposition.
Correctness and security analysis. We now state the correctness and security theorems forConstruction 5.3 and give the proofs in Appendix D.1.
Theorem 5.4 (Correctness). Construction 5.3 is correct.
Theorem 5.5 (Succinctness). Construction 5.3 is succinct.
Theorem 5.6 (CRS Indistinguishability). Suppose the QR assumption holds with respect toSampleModulus. Then, Construction 5.3 satisfies CRS indistinguishability.
Theorem 5.7 (Statistical Binding in Binding Mode). If H is pairwise independent, Construction 5.3satisfies statistical binding in binding mode.
Theorem 5.8 (Statistical Simulation in Hiding Mode). Construction 5.3 satisfies statistical simu-lation in hiding mode.
5.2 Dual-Mode Hidden-Bits Generator with Malicious Security from QR
In this section, we show how to extend Construction 5.3 to obtain a dual-mode hidden-bits generatorwith malicious security from the QR assumption. Our construction is conceptually similar toConstruction 4.18 from k-Lin.
Construction 5.9 (Dual-Mode HBG with Malicious Security from QR). Let ρ be the output lengthof the hidden-bits generator. We rely on a similar set of building blocks as Construction 4.18:
• Let SampleModulus be a safe prime modulus sampler. Let T = 2(λ+ dlogNe), where dlogNeis a bound on the bit-length of the modulus output by SampleModulus (on input 1λ).
30
• Let ` = 36ρλ2T and define Tλ,` := {S ⊆ [`] : |S| = λ} to be the set of all subsets of [`]
that contains exactly λ elements. Let G : {0, 1}κ → T ρλ,` × Zρ`2 be a PRG with seed lengthκ = κ(λ). Here, N is the modulus output by SampleModulus. We refer to Construction 4.18for a description of how to construct such a PRG.
We construct the dual-mode designated-verifier HBG with malicious security as follows:
• Setup(1λ, 1ρ,mode) → crs: Let `′ = ρ`. Sample (N, p, q) ← SampleModulus(1λ). Let g be agenerator of QRN and h = −1 be the generator of H = {±1}. The setup algorithm samples a
vector vr← Z`′bN/2c, scalars s1, . . . , s`′
r← ZbN/2c, and sets wi ∈ Z`′2 for i ∈ [`′] as follows:
– If mode = hiding, set wi ← ei where ei ∈ Z`′2 is the ith basis vector.
– If mode = binding, set wi ← 0.
Finally, it sample a hash function Hr← H, where H is a family of hash functions with domain
ZN and range {0, 1}λ. Output crs = (N, g, h,H, gv, gs1vhw1 , . . . , gs`′vhw`′ ).
• KeyGen(crs) → (pk, sk): On input crs = (N, g, h,H,v,w1, . . . ,w`′), sample aτ , bτ,ir← ZbN/2c
for all τ ∈ [T ] and i ∈ [`′]. It computes and outputs the public key pk = {vbτ,iwaτi }τ∈[T ],i∈[`′]
and sk = {aτ , bτ,i}τ∈[T ],i∈[`′].
• GenBits(crs, pk) → (σ, r, {πi}i∈[ρ]): On input crs = (N, g, h,H,v,w1, . . . ,w`′) and pk =
{zτ,i}τ∈[T ],i∈[`′], sample yr← Z`′bN/2c and compute for all τ ∈ [T ] and i ∈ [`′]
c←∏j∈[`′]
vyij and ti ←∏j∈[`′]
wyji,j and uτ,i ←
∏j∈[`′]
zyjτ,i,j .
In addition, for each i ∈ [`′], compute ui ← H(u1,i, . . . , uT,i). Next, sample a PRG seed
sr← {0, 1}κ and compute (S1, . . . , Sρ,α) ← G(s) where Si ∈ Tλ,` for all i ∈ [ρ] and α ∈ Zρ`2 .
For each i ∈ [ρ], compute the shifted sets Si ← {j + ` · (i− 1) | j ∈ Si} and set
t′i ←
∏j∈Si
tαjj and ri ← LEQ(t
′i, t′ih) and πi ← {(j, tj , uj)}j∈Si .
Output σ = (s, c), r, and π = {πi}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs = (N, g, h,H,v,w1, . . . ,w`′), sk = {aτ , bτ,i}τ∈[T ],i∈[`′],σ = (s, c), i ∈ [ρ], ri ∈ {0, 1}, and πi = {(h, tj , uj)}j∈S for an implicitly-defined set S ⊆ [`′],the verification algorithm performs the following checks:
– Compute (S1, . . . , Sρ,α) ← G(s) and the shifted set Si ← {j + ` · (i − 1) | j ∈ Si}. Itchecks that S = Si and outputs 0 if not.
– It checks thatuj = H
(ta1j c
b1,j , . . . , taTj cbT,j
), (5.2)
for all j ∈ S, and outputs 0 if not.
– It computes t′i ←
∏j∈S t
αjj and checks that ri = LEQ(t
′i, t′ih).
31
The group elements that are input to algorithms KeyGen, GenBits, and Verify are assumed to beelements of the subgroup JN of Z∗N . Note that since membership in JN can be efficiently testedgiven the modulus N (by computing the Jacobi symbol), each of the algorithms will first check thiscondition, and proceed only if all of the inputs are from the correct domains. We omit this explicitcheck in the above description for ease of exposition.
Correctness and security analysis. We now state the correctness and security theorems forConstruction 5.9 and give the proofs in Appendix D.2.
Theorem 5.10 (Correctness). Construction 5.9 is correct.
Theorem 5.11 (Succinctness). Construction 5.9 is succinct.
Theorem 5.12 (CRS Indistinguishability). Suppose the QR assumption holds with respect toSampleModulus. Then, Construction 5.9 satisfies CRS indistinguishability.
Theorem 5.13 (Statistical Binding in Binding Mode). If H is pairwise independent, Construc-tion 5.9 satisfies statistical binding in binding mode.
Theorem 5.14 (Statistical Simulation in Hiding Mode). Construction 5.9 satisfies statisticalsimulation in hiding mode.
6 Instantiations and Extensions
In this section, we provide the main implications of our framework for constructing statistical (andmore generally, dual-mode) NIZKs. We conclude by describing two simple extensions to augmentour NIZKs with additional properties.
Dual-mode MDV-NIZKs. By instantiating Construction 3.4 with a dual-mode MDV hidden-bits generator (e.g., Constructions 4.18, 5.9 and E.16), we obtain a dual-mode MDV-NIZK (Theo-rems 3.5, 3.7 and 3.11). We summarize our instantiations with the following corollaries:
Corollary 6.1 (Dual-Mode MDV-NIZK from k-Lin). Under the k-Lin assumption over pairing-free groups (for any k ≥ 1), there exists a statistical MDV-NIZK argument (with non-adaptivesoundness) in the common random string model, and a computational MDV-NIZK proof (withadaptive soundness) for NP in the common reference string model.
Corollary 6.2 (Dual-Mode MDV-NIZK from QR or DCR). Under the QR or DCR assumptions,there exists a statistical MDV-NIZK argument (with non-adaptive soundness) and a computationalMDV-NIZK proof (with adaptive soundness) for NP in the common reference string model.
Remark 6.3 (Perfect Zero-Knowledge DV-NIZK from k-Lin). As discussed in Remark C.8, Con-struction 4.3 satisfies perfect statistical simulation if the hash function H : G \ {g0} → {0, 1} is
perfectly uniform and there is an efficient algorithm to exactly sample tr← Zp such that H(gt) = r
for any r ∈ {0, 1}. Here we describe a straightforward candidate for H when G = E(Fp) is an elliptic-curve group of prime-order. We can write E(Fp) = {y2 = x3 +Ax+B | (x, y) ∈ F2
p}∪{O}, where Ois the identity element. For a point (x, y) ∈ G \ {O}, we define the hash function H(x, y) := sign(y),where sign(y) outputs 0 if y ∈ Fp is lexicographically smaller than −y ∈ Fp, and 1 otherwise. Since
32
(x, y) ∈ G implies that (x,−y) ∈ G, H perfectly partitions G \ {O} into two equal-size sets, and
correspondingly, H is perfectly uniform. Next, it is straightforward to sample tir← G \ {O} such
that H(t) = r. Simply sample (x, y)r← G \ {O}, and output either (x, y) or (x,−y), depending on
r. Thus, H satisfies the required properties and combined with Construction 4.3, gives a hidden-bitsgenerator with perfect simulation in hiding mode. Combined with Construction 3.4, we obtaina perfect DV-NIZK argument from the k-Lin assumption in pairing-free groups. Note that ourMDV-NIZK construction from the k-Lin assumption (Construction 4.18) does not satisfy perfectsimulation in hiding mode, so we do not obtain a perfect MDV-NIZK argument.
Publicly-verifiable statistical NIZK arguments. By instantiating Construction B.1 with apublicly-verifiable hidden-bits generator satisfying statistical simulation (e.g., Construction 4.13),we obtain a publicly-verifiable statistical NIZK argument in the common reference string model:
Corollary 6.4 (Publicly-Verifiable Statistical NIZK Argument from Pairings). Suppose that thek-Lin assumption holds in G1 and the k-KerLin assumption holds in G2 (for any k ≥ 1) over a pairinggroup. Then, there exists a publicly-verifiable statistical NIZK argument for NP (with non-adaptivesoundness) in the common reference string model.
Extensions. We conclude by describing two simple extensions to our framework to supportlanguages where statements can have an arbitrary a priori unbounded polynomial length as well ashow to obtain a proof of knowledge.
Remark 6.5 (Unbounded Statement Size). All of our NIZK constructions in this paper assumedan a priori bound on the length n of the statements in the language (which determines the lengthof the hidden-bits string we require), and the length of the CRS scales with n. Using the sameidea from [QRW19, §7], it is straightforward to adapt the construction to have a fixed-size CRS(independent of n) that supports proving statements of arbitrary poly(λ) size. We require a non-interactive commitment in the CRS model, and we will use 3-SAT as our underlying NP-completelanguage. To prove that a specific 3-CNF formula is satisfiable, the prover would commit to thesatisfying assignment (one variable at a time), and then use the NIZK to prove that the committedvalues indeed satisfy each clause. Observe that we now only require a NIZK that supports a fixed-sizelanguage to implement this transformation. Moreover, if we instantiate the commitment with a“dual-mode” commitment, where in one mode, the commitment is statistically binding, and in theother, is statistically hiding, then we retain the dual-mode properties of the underlying NIZK. Wecan build dual-mode commitments from any lossy public-key encryption scheme [BHY09] (impliedby standard intractability assumptions like DDH, QR, and DCR). Specifically, the CRS wouldcontain a public key for the encryption scheme, and a commitment to a bit b ∈ {0, 1} would be anencryption of b with fresh randomness r. The randomness r then serves as the commitment opening.When the lossy encryption scheme is injective, then the commitment is statistically binding and ifthe encryption scheme is lossy, then the commitment scheme is statistically hiding.
Remark 6.6 (Proofs of Knowledge). It is also straightforward to update our NIZK constructionsto obtain a proof of knowledge via the classic transformation where the prover encrypts the witness(using a public-key encryption scheme) and gives a proof that the encrypted witness satisfies therelation [DP92]. To preserve the dual-mode properties of the NIZK, we again require a lossypublic-key encryption scheme [BHY09] (similar to Remark 6.5).
33
Acknowledgments
We thanks the anonymous Eurocrypt reviewers for helpful feedback on this work.
References
[AF07] Masayuki Abe and Serge Fehr. Perfect NIZK with adaptive soundness. In TCC, 2007.
[BB04] Dan Boneh and Xavier Boyen. Efficient selective-ID secure identity-based encryptionwithout random oracles. In EUROCRYPT, 2004.
[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short group signatures. In CRYPTO,2004.
[BCG+19] Elette Boyle, Geoffroy Couteau, Niv Gilboa, Yuval Ishai, Lisa Kohl, and Peter Scholl.Efficient pseudorandom correlation generators: Silent OT extension and more. InCRYPTO, 2019.
[BCGI18] Elette Boyle, Geoffroy Couteau, Niv Gilboa, and Yuval Ishai. Compressing vector OLE.In ACM CCS, 2018.
[BFM88] Manuel Blum, Paul Feldman, and Silvio Micali. Non-interactive zero-knowledge andits applications (extended abstract). In STOC, 1988.
[BG10] Zvika Brakerski and Shafi Goldwasser. Circular and leakage resilient public-keyencryption under subgroup indistinguishability - (or: Quadratic residuosity strikesback). In CRYPTO, 2010.
[BHY09] Mihir Bellare, Dennis Hofheinz, and Scott Yilek. Possibility and impossibility resultsfor encryption and commitment secure under selective opening. In EUROCRYPT,volume 5479 of Lecture Notes in Computer Science, pages 1–35. Springer, 2009.
[Blu86] Manuel Blum. How to prove a theorem so no one else can claim it. In Proceedings ofthe International Congress of Mathematicians, volume 1, 1986.
[BY92] Mihir Bellare and Moti Yung. Certifying cryptographic tools: The case of trapdoorpermutations. In CRYPTO, 1992.
[CCH+19] Ran Canetti, Yilei Chen, Justin Holmgren, Alex Lombardi, Guy N. Rothblum, Ron D.Rothblum, and Daniel Wichs. Fiat-Shamir: from practice to theory. In STOC, 2019.
[CDI+19] Melissa Chase, Yevgeniy Dodis, Yuval Ishai, Daniel Kraschewski, Tianren Liu, RafailOstrovsky, and Vinod Vaikuntanathan. Reusable non-interactive secure computation.In CRYPTO, 2019.
[CH19] Geoffroy Couteau and Dennis Hofheinz. Designated-verifier pseudorandom generators,and their applications. In EUROCRYPT, 2019.
[CHK03] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-key encryptionscheme. In EUROCRYPT, 2003.
34
[CKS08] David Cash, Eike Kiltz, and Victor Shoup. The twin Diffie-Hellman problem andapplications. In EUROCRYPT, 2008.
[CL18] Ran Canetti and Amit Lichtenberg. Certifying trapdoor permutations, revisited. InTCC, 2018.
[CS98] Ronald Cramer and Victor Shoup. A practical public key cryptosystem provably secureagainst adaptive chosen ciphertext attack. In CRYPTO, 1998.
[CS02] Ronald Cramer and Victor Shoup. Universal hash proofs and a paradigm for adaptivechosen ciphertext secure public-key encryption. In EUROCRYPT, 2002.
[DDO+01] Alfredo De Santis, Giovanni Di Crescenzo, Rafail Ostrovsky, Giuseppe Persiano, andAmit Sahai. Robust non-interactive zero knowledge. In CRYPTO, 2001.
[DFN06] Ivan Damgard, Nelly Fazio, and Antonio Nicolosi. Non-interactive zero-knowledgefrom homomorphic encryption. In TCC, 2006.
[DGI+19] Nico Dottling, Sanjam Garg, Yuval Ishai, Giulio Malavolta, Tamer Mour, and RafailOstrovsky. Trapdoor hash functions and their applications. In CRYPTO, 2019.
[DMP87] Alfredo De Santis, Silvio Micali, and Giuseppe Persiano. Non-interactive zero-knowledgeproof systems. In CRYPTO, 1987.
[DP92] Alfredo De Santis and Giuseppe Persiano. Zero-knowledge proofs of knowledge withoutinteraction (extended abstract). In FOCS, 1992.
[EHK+13] Alex Escala, Gottfried Herold, Eike Kiltz, Carla Rafols, and Jorge L. Villar. Analgebraic framework for Diffie-Hellman assumptions. In CRYPTO, 2013.
[FLS90] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledgeproofs based on a single random string (extended abstract). In FOCS, 1990.
[FLS99] Uriel Feige, Dror Lapidot, and Adi Shamir. Multiple non-interactive zero knowledgeproofs under general assumptions. SIAM J. Comput., 29(1), 1999.
[FS86] Amos Fiat and Adi Shamir. How to prove yourself: Practical solutions to identificationand signature problems. In CRYPTO, 1986.
[GM82] Shafi Goldwasser and Silvio Micali. Probabilistic encryption and how to play mentalpoker keeping secret all partial information. In STOC, 1982.
[GMR89] Shafi Goldwasser, Silvio Micali, and Charles Rackoff. The knowledge complexity ofinteractive proof systems. SIAM J. Comput., 18(1), 1989.
[Gol11] Oded Goldreich. Basing non-interactive zero-knowledge on (enhanced) trapdoor permu-tations: The state of the art. In Studies in Complexity and Cryptography. Miscellaneaon the Interplay between Randomness and Computation. 2011.
[GOS06] Jens Groth, Rafail Ostrovsky, and Amit Sahai. Perfect non-interactive zero knowledgefor NP. In EUROCRYPT, 2006.
35
[GOS12] Jens Groth, Rafail Ostrovsky, and Amit Sahai. New techniques for noninteractivezero-knowledge. J. ACM, 59(3), 2012.
[GR13] Oded Goldreich and Ron D. Rothblum. Enhancements of trapdoor permutations. J.Cryptology, 26(3), 2013.
[Gro10] Jens Groth. Short non-interactive zero-knowledge proofs. In ASIACRYPT, 2010.
[HILL99] Johan Hastad, Russell Impagliazzo, Leonid A. Levin, and Michael Luby. A pseudoran-dom generator from any one-way function. SIAM J. Comput., 28(4), 1999.
[HJO+16] Brett Hemenway, Zahra Jafargholi, Rafail Ostrovsky, Alessandra Scafuro, and DanielWichs. Adaptively secure garbled circuits from one-way functions. In CRYPTO, 2016.
[HJR16] Dennis Hofheinz, Tibor Jager, and Andy Rupp. Public-key encryption with simulation-based selective-opening security and compact ciphertexts. In TCC, 2016.
[HK07] Dennis Hofheinz and Eike Kiltz. Secure hybrid encryption from weakened key encapsu-lation. In CRYPTO, 2007.
[HU19] Dennis Hofheinz and Bogdan Ursu. Dual-mode NIZKs from obfuscation. In ASI-ACRYPT, 2019.
[KNYY19a] Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, and Takashi Yamakawa. Desig-nated verifier/prover and preprocessing NIZKs from Diffie-Hellman assumptions. InEUROCRYPT, 2019.
[KNYY19b] Shuichi Katsumata, Ryo Nishimaki, Shota Yamada, and Takashi Yamakawa. Exploringconstructions of compact NIZKs from various assumptions. In CRYPTO, 2019.
[KW15] Eike Kiltz and Hoeteck Wee. Quasi-adaptive NIZK for linear subspaces revisited. InEUROCRYPT, 2015.
[KW18] Sam Kim and David J. Wu. Multi-theorem preprocessing NIZKs from lattices. InCRYPTO, 2018.
[LQR+19] Alex Lombardi, Willy Quach, Ron D. Rothblum, Daniel Wichs, and David J. Wu. Newconstructions of reusable designated-verifier NIZKs. In CRYPTO, 2019.
[MRV15] Paz Morillo, Carla Rafols, and Jorge L. Villar. Matrix computational assumptions inmultilinear groups. IACR Cryptology ePrint Archive, 2015.
[Pai99] Pascal Paillier. Public-key cryptosystems based on composite degree residuosity classes.In EUROCRYPT, 1999.
[PS19] Chris Peikert and Sina Shiehian. Noninteractive zero knowledge for NP from (plain)learning with errors. In CRYPTO, 2019.
[PsV06] Rafael Pass, Abhi shelat, and Vinod Vaikuntanathan. Construction of a non-malleableencryption scheme from any semantically secure one. In CRYPTO, 2006.
36
[QRW19] Willy Quach, Ron D. Rothblum, and Daniel Wichs. Reusable designated-verifier NIZKsfor all NP from CDH. In EUROCRYPT, 2019.
[Sha07] Hovav Shacham. A Cramer-Shoup encryption scheme from the linear assumption andfrom progressively weaker linear variants. IACR Cryptology ePrint Archive, 2007.
[SW14] Amit Sahai and Brent Waters. How to use indistinguishability obfuscation: deniableencryption, and more. In STOC, 2014.
[YYHK16] Takashi Yamakawa, Shota Yamada, Goichiro Hanaoka, and Noboru Kunihiro.Adversary-dependent lossy trapdoor function from hardness of factoring semi-smoothRSA subgroup moduli. In CRYPTO, 2016.
A Analysis of Construction 3.4 (Dual-Mode DV-NIZK)
In this section, we provide complete proofs for statements in Section 3.1.
Proof of Theorem 3.7 (Statistical Soundness). The argument proceeds very similarly tothe corresponding proof of adaptive statistical soundness from [QRW19]. We use a simple hybridargument:
• Hyb0: This is the real soundness experiment where the challenger begins by sampling crs←Setup(1λ) and (pk, sk)← KeyGen(crs), where crs = (λ, s, crsHBG), pk = pkHBG, and sk = skHBG.The challenger gives crs and pk to A. Adversary A can then make verification querieson pairs (x, π) and the challenger responds with Verify(crs, sk, x, π). At the end of theexperiment, the adversary outputs (x∗, π∗) and the output of the experiment is 1 if x∗ /∈ Land Verify(crs, sk, x∗, π∗) = 1.
• Hyb1: Same as Hyb0 except that, at the end of the experiment, after the adversary outputsits statement x∗ ∈ {0, 1}n and proof π∗ =
(σ∗, I∗, r∗I∗ , {π∗HBG,i}i∈I∗ , π
∗HBM
), the challenger
performs the following additional check:
– Compute r ← Open(crsHBG, σ∗). If HBG.Verify(crsHBG, skHBG, σ
∗, i, r∗i , π∗HBG,i) = 1 for all
i ∈ I∗ and rI∗ 6= r∗I∗ , then the challenger aborts the experiments and outputs ⊥.
For an adversary A, we write Hybi(A) to denote the output distribution of an execution of experiment
Hybi with adversary A. We now show that Hyb0(A)s≈ Hyb1(A) and that Pr[Hyb1(A) = 1] = negl(λ).
Lemma A.1. If ΠHBG is statistically binding in binding mode, then for all adversaries A, Hyb0(A)s≈
Hyb1(A).
Proof. The only difference between Hyb0 and Hyb1 is the additional check the challenger performswhen computing Verify(crs, sk, x∗, π∗) which precisely coincides with the binding property of thehidden-bits generator. An adversary that causes Hyb1 to output ⊥ with noticeable probabilitycan break the binding property with the same probability (formally, the reduction algorithm cansimulate the Verify(crs, sk, ·, ·) queries via oracle access to HBG.Verify(crsHBG, skHBG, ·, ·, ·, ·) in thebinding game).
Lemma A.2. For all adversaries A, Pr[Hyb1(A) = 1] = negl(λ).
37
Proof. Let x∗ ∈ {0, 1}n and π∗ = (σ∗, I∗, r∗I∗ , {π∗HBG,i}i∈I∗ , π∗HBM) be the adversary’s output in Hyb1.
For Hyb1(A) to output 1, the following conditions must hold:
• rI∗ = r∗I∗ where r ← Open(crsHBG, σ∗);
• HBM.Verify(1λ, I∗, rI∗ ⊕ sI∗ , x∗, π∗HBM) = 1.
Fix any commitment string σ ∈ {0, 1}` and let r ← Open(crsHBG, σ) be the associated sequence of
bits. For a randomly and independently sampled sr← {0, 1}ρ, rI∗ ⊕ sI∗ is also uniformly random.
By soundness of ΠHBM,
Pr[HBM.Verify(1λ, I∗, rI∗ ⊕ sI∗ , x∗, π∗HBM)] = ε(λ).
Taking a union bound over all possible commitments σ ∈ {0, 1}`, we have that
Pr[∃σ ∈ {0, 1}` : HBM.Verify(1λ, I∗, rI∗ ⊕ sI∗ , x∗, π∗HBM)] ≤ 2` · ε(λ) = negl(λ),
where in the above expression, r ← Open(crsHBG, σ∗). Thus, Hyb1(A) outputs 1 with negligible
probability.
Since the distributions Hyb0(A) and Hyb1(A) are statistically indistinguishable, the probability thatHyb0(A) outputs 1 (i.e., A breaks soundness) is negligible.
Proof of Theorem 3.11 (Statistical Zero-Knowledge). The proof follows by essentially thesame argument as the proof of Theorem 3.8. Specifically, let SHBM be the zero-knowledge simulatorfor ΠHBM and SHBG = (SHBG,1,SHBG,2) be the simulator for ΠHBG in hiding mode. We constructthe the zero-knowledge simulator S = (S1,S2) for ΠdvNIZK as follows:
• S1(1λ) → (stS , crs): Run (stHBG, crsHBG) ← SHBG(1λ, 1ρ) and sample sr← {0, 1}ρ. Output
stS = stHBG and crs = (λ, s, crsHBG).
• S2(stS , pk, x) → π: On input stS = stHBG, pk and x ∈ {0, 1}n, run (I , rI, πHBM) ←
SHBM(1λ, x) and (σ, {πHBG,i}i∈I)← SHBG,2(stHBG, pk, I, rI ⊕ sI). Output the simulated proof
π = (σ, I, rI⊕ s
I, {πHBG,i}i∈I , πHBM).
To complete the proof, we use the same hybrid structure as in the proof of Theorem 3.8:
• Hyb0: This is the real distribution.
• Hyb1: Same as Hyb0, except the challenger uses SHBG,1 to generate the common referencestring. It uses SHBG,2 to simulate the openings to the hidden-bits generator when respondingto oracle queries.
• Hyb2: Same as Hyb1, except when responding to oracle queries, the challenger uses thesimulator for the hidden-bits model NIZK to simulate the proofs. This is the simulateddistribution.
By essentially the same argument as in the proof of Lemma 3.9, Hyb0 and Hyb1 are statisticallyindistinguishable if ΠHBG satisfies statistical simulation for malicious keys. Similarly, Hyb1 and Hyb2are statistically indistinguishable if ΠHBM provides statistical zero-knowledge. This follows by anidentical argument as in the proof of Lemma 3.10.
38
B Publicly-Verifiable Statistical NIZK Arguments from HBG
In this section, we show that a (publicly-verifiable) hidden-bits generator that satisfies computationalbinding (Definition 4.10) yields a (publicly-verifiable NIZK) that satisfies non-adaptive computationalsoundness. The analysis is very similar to the proof of statistical soundness (Theorem 3.7). Here,we consider a variant of Construction 3.4 that is publicly-verifiable but has just a single mode. Thisis essentially the construction from [QRW19]. For completeness, we recall the specific construction:
Construction B.1 (NIZK from Publicly-Verifiable HBG). Let L ⊆ {0, 1}n be an NP languagewith associated NP relation R. We rely on the following building blocks:
• Let ΠHBG = (HBG.Setup,HBG.GenBits,HBG.Verify) be a publicly-verifiable hidden-bits gener-ator with commitments of length ` = `(λ, ρ), where λ is the security parameter and ρ is theoutput length of the generator.
• Let ΠHBM = (HBM.Prove,HBM.Verify) be a NIZK in the hidden-bits model for L, and letρ = ρ(λ) be the length of the hidden-bits string for ΠHBM.
We construct a publicly-verifiable NIZK ΠNIZK = (Setup,Prove,Verify) for L as follows:
• Setup(1λ)→ crs: On input λ ∈ N, sample sr← {0, 1}ρ. Run crsHBG ← HBG.Setup(1λ, 1ρ,mode)
and output crs = (λ, s, crsHBG).
• Prove(crs, x, w)→ π: On input crs = (λ, s, crsHBG), x ∈ {0, 1}n, and w, compute a hidden-bitsstring (σ, r, {πHBG,i}i∈{1,...,ρ})← HBG.GenBits(crsHBG, pkHBG), and an HBM proof (I, πHBM)←HBM.Prove(1λ, r ⊕ s, x, w). Output π = (σ, I, rI , {πHBG,i}i∈I , πHBM).
• Verify(crs, x, π): On input crs = (λ, s, crsHBG), x ∈ {0, 1}n, and π = (σ, I, rI , {πHBG,i}i∈I , πHBM),
output 1 if HBM.Verify(1λ, I, rI ⊕ sI , x, πHBM) = 1 and HBG.Verify(crsHBG, σ, i, ri, πHBG,i) = 1for all i ∈ I. Otherwise, output 0.
Theorem B.2 (Completeness). If ΠHBM is complete and ΠHBG is correct, then ΠNIZK from Con-struction B.1 is complete.
Proof. Follows by a similar argument as the proof of Theorem 3.5.
Theorem B.3 (Computational Soundness). If ΠHBM is statistically sound with soundness errorε(λ), ΠHBG is is computationally binding (Definition 4.10), and 2` · ε = negl(λ), then ΠNIZK fromConstruction B.1 satisfies non-adaptive computational soundness.
Proof. The proof uses a similar hybrid structure as in the proof of Theorem 3.7, except we are inthe non-adaptive setting. In particular, fix a statement x /∈ L, and let E be the extractor associatedwith ΠHBG (from Definition 4.10). Consider the following sequence of hybrid experiments:
• Hyb0: This is the real soundness experiment, where the challenger begins by samplingcrs← Setup(1λ) and gives crs = (λ, s, crsHBG) to A. At the end of the experiment, A outputsa proof π∗ and the output of the experiment is 1 if Verify(crs, x, π∗) = 1.
• Hyb1: Same as Hyb0, except the challenger samples (stE , crsHBG) ← E1(1λ, 1ρ) and usescrs = (λ, s, crsHBG) in place of crs.
39
• Hyb2: Same as Hyb1, except at the end of the experiment, after the adversary outputsπ∗ =
(σ∗, I∗, r∗I∗ , {π∗HBG,i}i∈I∗ , π
∗HBM
), the challenger performs the following check:
– Compute r ← E2(stE , σ∗). If HBG.Verify(crsHBG, σ∗, i, r∗i , π
∗HBG,i) = 1 for all i ∈ I∗ and
rI∗ 6= r∗I∗ , then the challenger aborts the experiments and outputs ⊥.
For an adversary A, we write Hybi(A) to denote the output distribution of an execution of experimentHybi with adversary A. We now show that each adjacent pair of hybrids are computationallyindistinguishable, and moreover, that Pr[Hyb2(A) = 1] = negl(λ).
Lemma B.4. If ΠHBG satisfies computational binding, then for all efficient A, Hyb0(A)c≈ Hyb1(A).
Proof. Follows immediately by the CRS indistinguishability property of E .
Lemma B.5. If ΠHBG satisfies computational binding, then for all efficient A, Hyb1(A)c≈ Hyb2(A).
Proof. The only difference between Hyb1 and Hyb2 is the additional check the challenger performswhen computing Verify(crs, x, π∗). But if A manages to output a commitment σ∗ and an index
i ∈ [ρ] such that HBG.Verify(crsHBG, σ∗, i, r∗i , π
∗HBG,i) = 1 and ri 6= r∗i where r
r← E2(stE , σ∗), then(σ∗, i, r∗i , πHBG,i) breaks the binding property of ΠHBG. Hence, if ΠHBG is computationally binding,then the probability that the additional check fails and the challenger aborts is negligible.
Lemma B.6. For all adversaries A, Pr[Hyb2(A) = 1] = negl(λ).
Proof. Follows by a similar argument as the proof of Lemma A.2.
Thus, for all efficient adversaries A, Hyb0(A)c≈ Hyb2(A) and Pr[Hyb2(A) = 1] = negl(λ). Thus,
the probability that Hyb0(A) outputs 1 (meaning that A breaks non-adaptive soundness) is alsonegligible.
Theorem B.7 (Statistical Zero-Knowledge). If ΠHBM satisfies statistical zero-knowledge and ΠHBG
provides statistical simulation, then ΠNIZK from Construction B.1 is statistical zero-knowledge.
Proof. Follows by a similar argument as the proof of Theorem 3.8.
C Analysis of Constructions from k-Lin (Section 4)
In this section, we provide the analysis of the dual-mode hidden-bits generators from Section 4.
C.1 Analysis of Construction 4.3 (Dual-Mode HBG from k-Lin)
In this section, we give the proofs for the correctness and security theorems (Theorems 4.4 to 4.8)for the dual-mode hidden-bits generator from the k-Lin assumption (Construction 4.3).
40
Proof of Theorem 4.4 (Correctness). Fix λ ∈ N, a polynomial ρ = ρ(λ), an index i ∈ [ρ],and a mode mode ∈ {binding, hiding}. Let crs ← Setup(1λ, 1ρ,mode), (pk, sk) ← KeyGen(crs),and (σ, r, {πi}i∈[ρ]) ← GenBits(crs, pk). By construction, crs = (G, H, gV, gw1 , . . . , gwρ), pk =
(gz1 , . . . , gzρ), and sk = (a,b1, . . . ,bρ). Moreover, zi = wia + Vbi. In addition, σ = gcT
= gyTV,
ri = H(gti), and πi = (gti , gui), where ti = yTwi and ui = yTzi for some y ∈ Zρ+kp . This meansthat
ui = yTzi = yT(wia+ Vbi) = tia+ cTbi,
and the verification algorithm accepts.
Proof of Theorem 4.5 (Succinctness). The length of a commitment in Construction 4.3consists of k = O(1) group elements, each of which can be represented by a string of length poly(λ).Thus, |σ| = k · poly(λ) = poly(λ).
Proof of Theorem 4.6 (CRS Indistinguishability). Our analysis relies on the followingcorollary of the k-Lin assumption, which roughly says that an encoding of a random rank-k matrixis computationally indistinguishable for an encoding of a uniformly random matrix.
Lemma C.1 ([EHK+13]). Suppose GroupGen is a prime-order group generator where k-Lin holds.Then for all polynomials n = n(λ) where k ≤ n, the following two distributions are computationallyindistinguishable: (
G, gV, gVs) c≈(G, gV, gw
),
where G = (G, p, g)← GroupGen(1λ), Vr← Zn×kp , s
r← Zkp and wr← Znp .
To complete the proof observe that the output of Setup(1λ, 1ρ,mode) for mode ∈ {binding, hiding}differ only in how the vectors w1, . . . ,wρ are sampled. In both cases, Setup starts by sampling
Vr← Z(ρ+k)×k
p . Then, if mode = binding, wi ← Vsi for sir← Zkp, while if mode = hiding, wi
r← Zρ+kp .By Lemma C.1, these two distributions are computationally indistinguishable, and the claim nowfollows by a standard hybrid argument.
Proof of Theorem 4.7 (Statistical Binding). We first define the (inefficient) Open algorithmas follows:
• Open(crs, σ)→ r: On input a crs = (G, H, gV, gw1 , . . . , gwρ) and a commitment σ = gcT, the
open algorithm first recovers V,w1, . . . ,wρ by solving the discrete logarithm problem over G.For each i ∈ [ρ], it checks that wi = Vsi for some si ∈ Zkp, and outputs ⊥ if not. If all checks
pass, it computes ri ← H(gcTsi) for each i ∈ [ρ] and outputs r.
To complete the proof, we use a hybrid argument:
• Hyb0: This is the real binding experiment. Namely, the challenger starts by samplingcrs ← Setup(1λ, 1ρ, binding) and (pk, sk) ← KeyGen(crs), and gives (crs, pk) to the adversary.By construction,
crs = (G, H, gV, gVs1 , . . . , gVsρ) and pk = (gz1 , . . . , gzρ),
41
where zi = V(sia+ bi). The adversary can then make queries to the verification oracle. Oneach query (σ, i, ri, πi), the challenger replies with Verify(crs, sk, σ, i, ri, πi). At the end of thegame, the adversary outputs a tuple (σ∗, i∗, r∗, π∗). The output of the experiment is 1 ifr∗ 6= ri where r ← Open(crs, σ∗) and Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1.
• Hyb1: Same as Hyb0, except the challenger samples x1, . . . ,xρr← Zkp and computes zi ← Vxi.
It then samples ar← Zp and sets bi ← xi − sia.
• Hyb2: Same as Hyb1, except the challenger implements Verify(crs, sk, σ, i, ri, πi) by computing
Verify∗(σ, ri, πi, si,xi), where on input σ = gcT, ri ∈ {0, 1}, πi = (gti , gui), si ∈ Zkp, xi ∈ Zkp,
Verify∗(σ, πi, ri, si,xi) outputs 1 if and only if
ri = H(gti) and ti = cTsi and ui = cTxi.
For an adversary A, we write Hybi(A) to denote the output of Hybi with adversary A. We show thatthe output distributions of each adjacent pair of hybrid experiments are statistically indistinguishable,and moreover, Hyb2(A) output 0 with overwhelming probability for all adversaries A.
Lemma C.2. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
Proof. Follows by construction.
Lemma C.3. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. We use a hybrid argument. The challenger evaluates Verify at most Q + 1 times, whereQ = poly(λ) is the bound on the number of queries the adversary makes (the challenger evaluatesVerify also at the end to determine the output of the experiment). We define a sequence ofintermediate hybrids Hyb1,j for j ∈ {0, . . . Q + 1}, where in hybrid Hyb1,j , the first j queries arehandled according to the specification in Hyb2 while the remaining queries are handled according tothe specification in Hyb1. By construction, Hyb1 ≡ Hyb1,0 and Hyb2 ≡ Hyb1,Q+1. Consider Hyb1,j−1and Hyb1,j for j ∈ [Q+ 1]. These two experiments only differ in how the challenger computes the
output for the jth Verify call. Let (crs, sk, σ, i, ri, πi) be the arguments to the jth Verify call, where
σ = gcT
and πi = (gti , gui). Consider the behavior in Hyb1,j−1. Here, the verifier accepts only if
ri = H(gti) and ui = tia+ cTbi = cT(sia+ bi) + (ti − cTsi)a = cTxi + (ti − cTsi)a.
We consider two possibilities:
• If ti = cTsi, then Verify in Hyb1,j−1 outputs 1 if and only if ri = H(gti) and ui = cTxi. Thisis identical to the behavior of Verify∗ in Hyb1,j .
• If ti 6= cTsi, then the output in Hyb1,j−1 is 1 only if a = (ui − cTxi)(ti − cTsi)−1. In Hyb1,j−1,
neither the public parameters (crs and pk) nor the responses to the first j − 1 queries dependon the value of a (in particular, Verify∗ is independent of a, and thus, leaks no information
about a). Thus, the challenger can sample ar← Zp after the adversary has chosen c, ti, and
ui. In this case, Verify outputs 1 with probability 1/p = negl(λ). Thus, with overwhelmingprobability, the output in Hyb1,j−1 is 0. This is the output of Verify∗ in Hyb1,j .
42
Since the outputs of Verify in Hyb1 and Verify∗ in Hyb2 are statistically indistinguishable for eachquery, the claim now follows by a hybrid argument. To conclude the proof, it suffices to showthat the output in Hyb2 is always 0. Let (σ∗, i∗, r∗, π∗) be the adversary’s output in Hyb2. Theoutput in Hyb2 is 1 only if Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1 and ri∗ 6= r∗ where r ← Open(crs, σ∗).
Write σ∗ = g(c∗)T and π∗ = (gt
∗i , gu
∗i ). By definition of Open, ri∗ = H(g(c
∗)Tsi). In Hyb3, the Verifyfunction outputs 1 only if t∗i = (c∗)Tsi and
r∗ = H(gt∗i ) = H(g(c
∗)Tsi) = ri∗ .
But then, the output of Hyb2 is 0. Since the output of Hyb0 and Hyb2 are statistically indistinguish-able, this means that the output in Hyb0 is also 0 with overwhelming probability.
Theorem 4.7 now follows by a hybrid argument.
Proof of Theorem 4.8 (Statistical Simulation). We construct a simulator S = (S1,S2) asfollows:
• S1(1λ, 1ρ)→ (stS , crs, pk, sk): Sample G = (G, p, g)← GroupGen(1λ), Hr← H, V
r← Z(ρ+k)×kp ,
w1, . . . ,wρr← Zρ+kp , a
r← Zp, and b1, . . . ,bρr← Zkp. For each i ∈ [ρ], let zi ← wia+ Vbi. In
the following, we will write
W = [ w1 | · · · | wρ | V ] ∈ Z(ρ+k)×(ρ+k)p . (C.1)
Output crs = (G, H, gV, gw1 , . . . , gwρ), pk = (gz1 , . . . , gzρ), sk = (a,b1, . . . ,bρ), and stS =
(crs, pk,W)
• S2(stS , I, rI)→ (σ, {πi}i∈I): On input stS = (crs, pk,W) where
crs = (G, H, gV, gw1 , . . . , gwρ) and pk = (gz1 , . . . , gzρ),
a set of indices I ⊆ [ρ], and a bitstring rI ∈ {0, 1}|I|, the simulator samples a vector t ∈ Zρp asfollows:
– For each i ∈ I, sample tir← Zp conditioned on H(gti) = ri. Specifically, the simulator
repeatedly samples tir← Zp until finding one that satisfies H(gti) = ri. If no such ti is
found after λ iterations, then the simulator aborts and outputs ⊥.
– For the remaining indices i ∈ [ρ] \ I, sample tir← Zp.
Next, it samples cr← Zkp and sets yT ← [ tT | cT ] ·W−1 (outputting ⊥ if W is not
invertible). It computes σ = gcT
and gui ← gyTzi for each i ∈ I. It output σ and {πi}i∈I
where πi = (gti , gui).
To show that ExptHide[A, 0] and ExptHide[A, 1] are statistically indistinguishable, we use a hybridargument:
• Hyb0: This is the distribution in ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs← Setup(1λ, 1ρ, hiding) and (pk, sk)← KeyGen(crs). For each challenge query, the challengerfirst samples (σ, r, {πi}i∈[ρ]) ← GenBits(crs, pk) and gives r to A to receive a set I ⊆ [ρ]. Itthen replies with σ and {πi}i∈I .
43
• Hyb1: Same as Hyb0, except the challenger computes (stS , crs, pk, sk)← S1(1λ, 1ρ) and uses
crs, pk, and sk in place of crs, pk, and sk, respectively.
Specifically, the challenger samples Vr← Z(ρ+k)×k
p , w1, . . . ,wρr← Zρ+kp , a
r← Zp, and
b1, . . . ,bρr← Zkp. For each i ∈ [ρ], it sets zi ← wia+Vbi. It sets crs = (G, H, gV, gw1 , . . . , gwρ),
pk = (gz1 , . . . , gzρ), and sk = (a,b1, . . . ,bρ). On each challenge query, the challenger samples
yr← Zρ+kp and computes [ tT | cT ] ← yTW, ri ← H(gti), and gui ← gy
Tzi for each i ∈ [ρ],where W is defined in Eq. (C.1). The challenger sends r to the adversary and receives a set
I ⊆ [t]. The challenger replies with σ = gcT
and {πi}i∈I = {(gti , gui)}i∈I .
• Hyb2: Same as Hyb1, except when responding to the challenge queries, instead of sampling
yr← Zρ+kp , the challenger samples t
r← Zρp and cr← Zkp. It sets yT ← [ tT | cT ] ·W−1 (and
outputs ⊥ if W is not invertible). All remaining components are constructed as in Hyb1.
• Hyb3: Same as Hyb2 except when responding to the challenge queries, the challenger first
samples rr← {0, 1}k. For each i ∈ [ρ], it samples ti
r← Zp conditioned on H(gti) = ri. Thechallenger uses the same rejection procedure for this step as in S2 to implement this. Itsamples c
r← Zkp and the remaining components as in Hyb2.
• Hyb4: Same as Hyb3 except when responding to the challenge queries, the challenger samples tafter it receives the challenge set. In particular, on each query, after the challenger receives theset I ⊆ [ρ], it samples ti
r← Zp conditioned on H(gti) = ri if i ∈ I and tir← Zp otherwise. All
remaining components are constructed as in Hyb3. This is the distribution in ExptHide[A,S, 1].
For an adversary A, we write Hybi(A) to denote the output distribution of experiment Hybi withadversary A. We now show that for all adversaries A, the output distributions of each consecutivepair of hybrids are either statistically indistinguishable or identically distributed.
Lemma C.4. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
Proof. Since S1(1λ, 1ρ) samples crs, pk, and sk using the same procedure as Setup and KeyGen, theoutput distributions of hybrids Hyb0 and Hyb1 are identically distributed.
Lemma C.5. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. With overwhelming probability, W is full-rank and thus invertible. In this case, thedistributions of y in Hyb1 and Hyb2 are identical. Thus, the output distributions of Hyb1 and Hyb2are statistically indistinguishable.
Lemma C.6. If H is statistically uniform, then for all adversaries A, Hyb2(A)s≈ Hyb3(A).
Proof. Since H is sampled from a hash family that satisfies statistical uniformity, the distributionof H(gti) when ti
r← Zp is statistically close to uniform over {0, 1}. Thus, in Hyb2, each bit ri isstatistically close to uniform. It suffices to argue that the sampling algorithm in Hyb3 does notabort. In this is the case, then the two distributions are statistically close. Again, using the fact thatH is statistically uniform, for a random ti
r← Zp, Pr[H(gti) = ri] ≥ 1/2− negl(λ) for any ri ∈ {0, 1}.Thus, with overwhelming probability, the challenger successfully finds a ti after λ independentattempts. Since ρ = poly(λ) and the adversary makes at most q = poly(λ) queries, the claim nowfollows by a union bound.
44
Lemma C.7. For all adversaries A, Hyb3(A) ≡ Hyb4(A).
Proof. First, the challenger’s first message to the adversary in both experiments is (crs, pk, sk) where
crs = (G, H, gV, gw1 , . . . , gwρ), pk = (gz1 , . . . , gzρ), and sk = (a,b1, . . . ,bρ). These components areidentically distributed in the two experiments. We consider the challenge queries. On each challengequery, in both Hyb3 and Hyb4, the challenger sends the adversary a random string r
r← {0, 1}k. Toconclude the proof, we argue that the challenger’s response to each challenge query is identicallydistributed in the two experiments. In particular, after the adversary outputs a set I ⊆ [ρ], the
challenger replies with a commitment σ = gcT
and a collection of proofs {πi}i∈I = {(gti , gui)}i∈I .We show that c, ti, ui for i ∈ I in Hyb3 and Hyb4 are identically distributed:
• In Hyb3 and Hyb4, for all i ∈ I, the challenger samples tir← Zp subject to H(gti) = ri. Thus,
the distribution of ti for each i ∈ I is identically distributed in the two experiments.
• In Hyb3 and Hyb4, c ∈ Zkp is independent and uniformly distributed.
• In Hyb3 and Hyb4, ui = yTzi = yT(wia+Vbi) = tia+cTbi. Since a,bi, ti, c are all identicallydistributed in the two experiments for i ∈ I, we conclude that ui is identically distributed inHyb3 and Hyb4 for all i ∈ I.
Theorem 4.8 now follows by a hybrid argument.
Remark C.8 (Perfect Simulation in Hiding Mode). A modified version of Construction 4.3 can beshown to satisfy perfect simulation in hiding mode. Specifically, we make the following adjustments:
• Modify Setup(1λ, 1ρ, hiding) so that it always outputs V,w1, . . . ,wρ such that the matrix Win Eq. (C.1) is full-rank. This property already holds with overwhelming probability, so thisonly introduces a negligible loss to the CRS indistinguishability property. With this change,Hyb1 and Hyb2 in the proof of Theorem 4.8 are identically distributed.
• Replace the hash family H with one that is perfectly uniform and one where there is a procedureto exactly sample ti
r← Zp such that H(gti) = ri.
Currently, H is a hash family from a prime-order group G to {0, 1}, so perfect uniformity isimpossible. However, we can modify the construction to use a hash function with domainG \ {g0}, where g0 ∈ G denotes the identity element. To enforce this, we modify the GenBits
algorithm to sample yr← Zρ+kp subject to the restriction that ti = (yTW)i 6= 0 for all
i ∈ [ρ]. A randomly-sampled y, will satisfy this property with overwhelming probability (since1/p = negl(λ)), and thus, this can only change the distribution of GenBits by a negligibleamount. With this modification and assuming that H is a perfectly uniform family of hashfunctions from G \ {[0]} to {0, 1}, and that there is an efficient algorithm to sample ti
r← Zpsuch that H(gti) = ri, then hybrids Hyb2 and Hyb3 in the proof of Theorem 4.8 are identicallydistributed. As we show in Section 6, it is straightforward to construct a hash function withthese properties when G is an elliptic curve group over a finite field (see Remark 6.3).
With these modifications, each pair of adjacent hybrids in the proof of Theorem 4.8 is identicallydistributed, and we conclude that ΠHBG satisfies perfect simulation in hiding mode. Combined withConstruction 3.4, this gives a dual-mode NIZK with perfect zero-knowledge in hiding mode.
45
C.2 Analysis of Construction 4.13 (Publicly-Verifiable HBG from Pairings)
In this section, we give the proofs for the correctness and security theorems (Theorems 4.14 to 4.17)for the publicly-verifiable hidden-bits generator from pairings (Construction 4.13).
Proof of Theorem 4.14 (Correctness). Fix λ ∈ N, a polynomial ρ = ρ(λ), and an in-dex i ∈ [ρ]. Let crs ← Setup(1λ, 1ρ) and (σ, r, {πi}i∈[ρ]) ← GenBits(crs). Consider the value ofVerify(crs, σ, i, ri, πi). First, by construction,
crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
),
aT = aTD, Zi = wiaT + VBi, and Bi = BT
i D. In addition, σ = gcT
1 = gyTV
1 , ri = H(gti1 ), and
πi = (gti1 , guTi
1 ), where
gti1 = gyTwi
1 and guTi
1 = gyTZi
1 = gyT(wia
T+VBi)1 .
It suffices to check Eq. (4.3) holds. By construction,
e(gti1 , gaT
2 ) · e(gcT1 , gBi2 ) = e(g1, g2)(yTwi)(a
TD)+(yTV)(BiD) = e(g1, g2)yT(wia
T+VBi)D = e(guTi
1 , gD2 ),
and Verify accepts.
Proof of Theorem 4.15 (Succinctness). The length of a commitment in Construction 4.13consists of k = O(1) elements in G1, each of which can be represented by a string of length poly(λ).Thus, |σ| = k · poly(λ) = poly(λ).
Proof of Theorem 4.16 (Computational Binding). We begin by constructing an efficientextractor E = (E1, E2) as follows:
• E1(1λ, 1ρ) → (stE , crs): Sample G = (G1,G2,GT , p, g1, g2, e) ← PairingGroupGen(1λ) and
Hr← H. Sample V
r← Z(ρ+k)×kp . For all i ∈ [ρ], sample si
r← Zkp and set wi ← Vsi. Sample
verification components ar← Zk+1
p , B1, . . . ,Bρr← Zk×(k+1)
p , dr← Zkp, and set D as in Eq. (4.2).
Then, set aT ← aTD and for each i ∈ [ρ], let Zi ← wiaT + VBi and Bi ← BiD as in Setup.
Output crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
)and stE = (H, s1, . . . , sk).
• E2(stE , σ) → r: On input stE = (H, s1, . . . , sk) and a commitment σ = gcT
1 , compute ri ←H(gc
Tsi1 ) for each i ∈ [ρ]. Output r. This is a deterministic algorithm by construction.
We now show that E satisfies the two required properties.
CRS indistinguishability. The only difference in the CRS output by Setup and that output byE1 is in how the wi are sampled (from wi
r← Zkp in Setup to wi ← Vsi where sir← Zkp in E1). This is
precisely the distinction between the CRS in the hiding mode and the CRS in the binding mode inConstruction 4.3. As such, the proof follows via the same argument as in the proof of Theorem 4.6(by appealing to k-Lin in G1).
46
Binding. We use a hybrid argument:
• Hyb0: This is the real binding experiment. Namely, the challenger starts by sampling
(stE , crs) ← Setup(1λ, 1ρ) and gives crs =(G, H, gV1 , ga
T
2 , gD2 ,{gwi1 , gZi1 , gBi2
}i∈[ρ]
)to the ad-
versary. Here, wi = Vsi, aT = aTD, Zi = wiaT + VBi, and Bi = BiD. The adversary
then outputs a tuple (σ∗, i∗, r∗, π∗). The output of the experiment is 1 if r∗ 6= ri wherer ← E2(stE , σ∗) and Verify(crs, σ∗, i∗, r∗, π∗) = 1. Otherwise, the output is 0.
• Hyb1: Same as Hyb0 except after the adversary outputs its tuple (σ∗, i∗, r∗, π∗), the challenger
performs the following additional check. First, write σ∗ = g(c∗)T
1 and π∗ = (gt∗1 , g
(u∗)T
1 ). Theoutput of Hyb1 is 0 if Verify(crs, σ∗, i∗, r∗, π∗) = 1 and t∗aT + (c∗)TBi∗ 6= (u∗)T. Otherwise,the output of Hyb1 is computed as in Hyb0.
We write Hybi(A) to denote the output of experiment Hybi with adversary A. To complete the proof,we show that for all efficient adversaries A, the output distributions of Hyb0(A) and Hyb1(A) arecomputationally indistinguishable, and moreover, that Hyb1(A) outputs 1 with negligible probability.This means that the output in Hyb0 (the real binding experiment) is 1 with negligible probability,which proves the claim.
Lemma C.9. Suppose the k-KerLin assumption holds in G2 with respect to PairingGroupGen. Then,
for all efficient adversaries A, Hyb0(A)c≈ Hyb1(A).
Proof. The only difference between Hyb0(A) and Hyb1(A) is the additional check the challengerperforms at the end of the experiment. Suppose there exists an efficient adversary A such thatPr[Hyb0(A) = 1] > Pr[Hyb1(A) = 1] + ε for some non-negligible ε. We use A to construct anadversary B that breaks the k-KerLin assumption:
1. Algorithm B receives the k-KerLin challenge G = (G1,G2,GT , p, g1, g2, e) and a matrix gD2from the challenger (where D ∈ Z(k+1)×k
p has the form in Eq. (4.2)). It uses the challenge
to simulate a CRS as follows. First, it samples Hr← H and V
r← Z(ρ+k)×kp , and vectors
s1, . . . , skr← Zkp. It also samples verification components a
r← Zk+1p , B1, . . . ,Bρ
r← Zk×(k+1)p .
Finally, it sets
crs =(G, H, gV1 , ga
TD2 , gD2 ,
{gVsi1 , gVsia
T+VBi1 , gBiD2
}i∈[ρ]
).
Note that B can efficiently compute the components gaTD
2 and gBiD2 from the challengecomponent gD2 since it knows a and Bi. The challenger gives crs to A.
2. Algorithm A outputs σ∗ = g(c∗)T
1 , i∗ ∈ [ρ], r∗ ∈ {0, 1}, and π∗ =(gt∗1 , g
(u∗)T
1
).
3. Algorithm B outputs the group element gt∗aT+(c∗)TBi∗−(u∗)T1 . This can be computed efficiently
given gt∗1 , g
(c∗)T
1 , g(u∗)T
1 , a, and Bi∗ , all of which are known to B.
By construction, B perfectly simulates crs according to the specification in Hyb0. Thus, with
probability ε, algorithm A will output g(c∗)T
1 , gt∗1 , and g
(u∗)T
1 such that Verify(crs, σ∗, i∗, r∗, π∗) = 1and t∗aT + (c∗)TBi∗ 6= (u∗)T. If the output of Verify is 1, then it must be the case that
e(gt∗1 , g
aTD2
)· e(g(c∗)T
1 , gBi∗D2
)= e(g(u∗)T
1 , gD2),
47
or equivalently,t∗aTD + (c∗)TBi∗D = (t∗aT + (c∗)TBi∗)D = (u∗)TD,
This means that(t∗aT + (c∗)TBi∗ − (u∗)T
)D = 0. Since t∗aT + (c∗)TBi∗ 6= (u∗)T, this means that
gt∗aT+(c∗)TBi∗−(u∗)T1 is a valid solution to the k-KerLin challenge. Thus, B breaks k-KerLin with the
same advantage ε.
To complete the proof, it suffices to show that in Hyb1, the output is 0 with overwhelming probability.We show that this is the case for all (possibly unbounded) adversaries A. Our analysis will rely onthe following claim from [KW15, Lemma 2]:
Lemma C.10 ([KW15, Lemma 2]). Let n, t, k be integers. Fix any matrix M ∈ Zn×tp and D ∈Z(k+1)×kp . Then, for all (possibly unbounded) adversaries A, if we sample K
r← Zn×(k+1)p and
(z,y)← A(MTK,KD),Pr[y /∈ span(M) ∧ zT = yTK] ≤ 1/p.
To complete the proof, let crs =(G, H, gV1 , ga2 , gD2 ,
{gwi1 , gZi1 , gBi2
}i∈[ρ]
)be the simulated CRS in
Hyb1, and let (σ∗, i∗, r∗, π∗) be the adversary’s output, where σ∗ = g(c∗)T
1 and π∗ = (gt∗1 , g
(u∗)T1 ).
The state stE is stE = (H, s1, . . . , sk). In this case, wi = Vsi, aT = aTD, Zi = wiaT + VBi, and
Bi = BiD. We now show that with overwhelming probability, the output of Hyb1 is 0:
• If Verify(crs, σ∗, i∗, r∗, π∗) = 0, then the output in Hyb1 is 0 by definition.
• Suppose t∗ = (c∗)Tsi∗ . Then, if Verify(crs, σ∗, i∗, r∗, π∗) = 1, it must be the case that
r∗ = H(gt∗1 ) = H(g
(c∗)Tsi∗1 ). Let r ← E2(stE , σ∗). By definition ri = H(g
(c∗)Tsi∗1 ). But in this
case, r∗ = ri, and the output in Hyb1 is 0.
• Suppose that t∗ 6= (c∗)Tsi∗ . Here, we will rely on Lemma C.10. Let w ∈ Zρ(ρ+k)p be the vectorformed by stacking w1, . . . ,wρ, and define matrices K and M as follows:
K =
aT
B1...
Bρ
∈ Z(ρk+1)×(k+1)p and MT = [ w | Iρ ⊗V ] ∈ Zρ(ρ+k)×(ρk+1)
p .
By construction, observe that all of the group elements in crs are a function of the componentsof M (i.e., the components V, wi), D, MTK (i.e., Zi), and KD (i.e., a, Bi). Thus, byLemma C.10, over a uniform choice of K (correspondingly, over a random choice of theverification parameters a, Bi), no adversary A (given M, D, MTK, and KD) can outputy and u∗ such that y /∈ span(M) and (u∗)T = yTK, except with negligible probability.Consider yT = [ t∗ | eTi∗ ⊗ (c∗)T ] ∈ Zρ+1
p , where ei∗ ∈ Zρp denotes the (i∗)th basis vector.Since t∗ 6= (c∗)Tsi∗ , y /∈ span(M), so by Lemma C.10, Pr[yTK = (u∗)T] = negl(λ). SinceyTK = t∗aT + (c∗)TBi∗ , this means that with overwhelming probability,
t∗aT + (c∗)TBi∗ 6= (u∗)T.
In this case, if Verify(crs, σ∗, i∗, r∗, π∗) = 1, then the output in Hyb1 is 0 by definition. (And ifthe output of Verify is 0, the output in Hyb1 is also 0). With overwhelming probability, theoutput of Hyb1 in this case is 0.
48
Proof of Theorem 4.17 (Statistical Simulation). Follows by the same argument as in theproof of Theorem 4.8.
C.3 Analysis of Construction 4.18 (Dual-Mode (Malicious) HBG from k-Lin)
In this section, we give the proofs for the correctness and security theorems (Theorems 4.19 to 4.23)for the hidden-bits generator with malicious security from the k-Lin assumption (Construction 4.18).
Proof of Theorem 4.19 (Correctness). Follows by an analogous argument as in the proof ofTheorem 4.4.
Proof of Theorem 4.20 (Succinctness). The commitment σ in Construction 4.18 consists
of a PRG seed s ∈ {0, 1}κ where κ = poly(λ) and k = O(1) group elements gcT ∈ Gk. Thus,
|σ| = poly(λ).
Proof of Theorem 4.21 (CRS Indistinguishability). Same as the proof of Theorem 4.6.
Proof of Theorem 4.22 (Statistical Binding). This follows by an analogous argument as theproof of Theorem 4.7. In particular, we first define the following (inefficient) Open algorithm:
• Open(crs, σ)→ r: On input a crs = (G, H, gV, gw1 , . . . , gw`′ ) and a commitment σ = (s, gcT),
the open algorithm first recovers V,w1, . . . ,w`′ by solving the discrete logarithm problemover G. For each i ∈ [`′], it checks that wi = Vsi for some si ∈ Zkp, and outputs ⊥ if not. If all
checks pass, it computes (S1, . . . , Sρ,α)← G(s) and the shifted sets Si ← {j+`·(i−1) | j ∈ Si}for each i ∈ [ρ]. It computes ri ← H
(∏j∈Si g
αjcTsj)
for each i ∈ [ρ], and outputs r.
As in the proof of Theorem 4.7, we use a hybrid argument to complete the proof:
• Hyb0: This is the real binding experiment.
• Hyb1: Same as Hyb0, except when generating the public key pk = (gz1 , . . . , gz`′ ), the challenger
samples x1, . . . ,x`′r← Zkp and sets zi ← Vxi. Afterwards, it samples a
r← Zp and setsbi ← xi − sia for use as the (secret) verification coefficients.
• Hyb2: Same as Hyb1 except the challenger implements Verify(crs, sk, σ, i, ri, πi) by computing
Verify∗(σ, ri, πi, (s1, . . . , s`′), (x1, . . . ,x`′)), which does the following. On input σ = (s, gcT),
ri ∈ {0, 1}, πi = {(j, gtj , guj )}j∈S for some implicitly-defined set S ⊆ [`′], and vectors
s1, . . . , s`′ ∈ Zkp, x1, . . . ,x`′ ∈ Zkp, compute (S1, . . . , Sρ,α) ← G(s), and the shifted set
Si ← {j + ` · (i− 1) | j ∈ Si}. It then checks the following conditions and outputs 1 only ofthem are satisfied (and outputs 0 otherwise):
S = Si and ri = H(∏
j∈Sigαjtj)
and ∀j ∈ Si : tj = cTsj and uj = cTxj
As usual, we write Hybi(A) to denote the output of Hybi with adversary A. Hybrids Hyb0(A) andHyb1(A) are identical by construction. Hybrids Hyb1(A) and Hyb2(A) are statistically indistinguish-able by a similar argument as that in the proof of Lemma C.3. Namely, the Verify algorithm inHyb1 outputs 1 only if for all j ∈ Si:
uj = tja+ cTbj = cT(sja+ bj) + (tj − cTsj)a = cTxj + (tj − cTsj)a.
49
If there is some j ∈ Si where tj 6= cTsj , then we can argue (as in the proof of Lemma C.3) thatwith overwhelming probability over the choice of a, the verifier in Hyb1 outputs 0. Conversely, iftj = cTsj for all j ∈ Si, then Verify and Verify∗ behave identically, and the claim follows. Finally, bya similar argument as in the proof of Theorem 4.7, the output of Hyb2 is always 0.
Proof of Theorem 4.23 (Statistical Simulation). We construct a simulator S = (S1,S2) asfollows:
• S1(1λ, 1ρ) → (stS , crs): Sample G = (G, p, g) ← GroupGen(1λ), Hr← H, V
r← Z(`′+k)×kp ,
w1, . . . ,w`′r← Z`′+kp exactly as in Setup(1λ, 1ρ, hiding). In the following, we will write
W = [ w1 | · · · | w`′ | V ] ∈ Z(`′+k)×(`′+k)p .
Output crs = (G, H, gV, gw1 , . . . , gw`′ ), and stS = (crs,W)
• S2(stS , pk, I, rI) → (σ, {πi}i∈I): On input the simulation state stS = (crs,W) where crs =(G, H, gV, gw1 , . . . , gw`′ ), a public key pk = (gz1 , . . . , gz`′ ), a set of indices I ⊆ {0, 1}k,and a bitstring rI ∈ {0, 1}|I|, the simulator samples a seed s
r← {0, 1}κ and computes(S1, . . . , Sρ,α)← G(s). For each i ∈ I, it computes the shifted sets Si ← {j+`·(i−1) | j ∈ Si}.Then, it samples a vector t ∈ Z`′p as follows:
– For each i ∈ I, first sample t′ir← Zp subject to H(gt
′i) = ri. Specifically, the simulator
repeatedly samples t′ir← Zp until finding one that satisfies H(gt
′i) = ri. If no such t′i
is found after λ iterations, then the simulator aborts and outputs ⊥. Then for j ∈ Si,sample tj
r← Zp subject to the constraint that∑
j∈Si αjtj = t′i.
– For all of the remaining indices j ∈ [`′] \⋃i∈I Si, sample tj
r← Zp.
Next, it samples cr← Zkp and computes yT ← [ tT | cT ] ·W−1 (outputting ⊥ if W is not
invertible). It computes guj ← gyTzj for each j ∈ Si and i ∈ I. Finally, for each i ∈ I, it sets
πi = {(j, gtj , guj )}j∈Si . Finally, it outputs σ = (s, gcT) and {πi}i∈I .
To show that ExptHide[A, 0] and ExptHide[A, 1] are statistically indistinguishable, we use a hybridargument:
• Hyb0: This is the distribution in ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs ← Setup(1λ, 1ρ, hiding). It gives crs to A to receive a public key pk. For each challengequery, the challenger samples (σ, r, {πi}i∈[ρ])← GenBits(crs, pk) and gives r to A to receive aset I ⊆ [ρ]. It then replies with σ and {πi}i∈I .
• Hyb1: Same as Hyb0 except the challenger computes (stS , crs) ← S1(1λ, 1ρ) and uses crsin place of crs. Everything else proceeds identically to Hyb0. Specifically, in this ex-periment, the challenger samples G, H, and V,w1, . . . ,w`′ as specified by S1 and setscrs = (G, H, gV, gw1 , . . . , gw`′ ). It gives crs to the adversary and receives a public key
pk = (gz1 , . . . , gz`′ ). Let Z ∈ Z(`′+k)×`′p be the matrix whose columns are z1, . . . , z`′ . On
a challenge query, the challenger proceeds as follows:
1. Sample sr← {0, 1}κ and compute (S1, . . . , Sρ,α) ← G(s). For each i ∈ [ρ], compute
Si ← {j + ` · (i− 1) | j ∈ Si}.
50
2. Sample yr← Z`′+kp and compute [ tT | cT ]← yTW, uT ← yTZ.
3. For each i ∈ [ρ], compute t′i ←∏j∈Si g
αjtj , ri ← H(t′i) and πi ← {(j, gtj , guj )}j∈Si .4. The challenger gives r ∈ {0, 1}ρ to A and receives a set I ⊆ [ρ].
5. The challenger replies with σ = (s, gt`′+1) = (s, gcT) and the set {πi}i∈I .
• Hyb2: Same as Hyb1, except when responding to the challenge queries, instead of sampling
yr← Z`′+kp , the challenger instead samples t
r← Z`′p and cr← Zkp. It sets yT ← [ tT | cT ] ·W−1
(and outputs ⊥ if W is not invertible). All remaining components are constructed as in Hyb1.
• Hyb3: Same as Hyb2, except when responding to the challenge queries, the challenger first
samples t′r← Zρp. Next, for each i ∈ [ρ] and j ∈ Si, it samples tj
r← Zp subject to the constraint
that∑
j∈Si αjtj = t′i. For indices j ∈ [`′] \⋃i∈[ρ] Si, sample tj
r← Zp.
• Hyb4: Same as Hyb3, except when responding to the challenge queries, the challenger first
samples rr← {0, 1}ρ. Then, for each i ∈ [ρ], it samples t′i
r← Zp conditioned on H(t′i) = ri. Allremaining components are constructed as in Hyb3.
• Hyb5: Same as Hyb4 except when responding to the challenge queries, the challenger samplest ∈ Z`′p after it receives the challenge set. In particular, on each query, after the challengerreceives the set I ⊆ [ρ], it samples t as follows:
– For each i ∈ I, first sample t′ir← Zp subject to H(gt
′i) = ri. Then, for j ∈ Si, sample
tjr← Zp subject to the constraint that
∑j∈Si αjtj = t′i.
– For all of the remaining indices j ∈ [`′ + 1] \⋃i∈I Si, sample tj
r← Zp.
After sampling t using the above procedure, the simulator constructs the remaining componentsas in Hyb4. This is the distribution in ExptHide[A,S, 1].
For an adversary A, we write Hybi(A) to denote the output of hybrid Hybi with adversary A. Inthe following, we will show that the output distribution of each pair of adjacent experiments isstatistically indistinguishable (or identically distributed). Our analysis will rely on the followingstatistical property on the output of a secure PRG:
Claim C.11. Suppose G is a secure PRG, and take sr← {0, 1}κ. Let (S1, . . . , Sρ,α)← G(s). Then,
with overwhelming probability over the choice of s, the following properties hold:
• For any i ∈ [ρ`], Pr[αi = 0] = negl(λ).
• Let A ∈ Z`×`′p be any fixed matrix and let I ⊆ [ρ] be any fixed set of indices. For each i ∈ I,
let Si ← {j + ` · (i− 1) | j ∈ Si} be the shifted set of indices, and define
J = {j ∈ Si for some i ∈ I | j ∈ [`′]} ⊆ [`′].
Let A ∈ Z`×λ|I|p be the submatrix of A formed by taking only the columns of A indexed by J .For i ∈ [ρ], define α(i) ∈ Z`p as follows:
α(i)j =
{αj+`·(i−1) if j ∈ Si0 otherwise.
51
By construction, α(i) contains exactly λ non-zero entries (as specified by the set Si). Then,for any i ∈ [ρ] \ I,
Pr[α(i) ∈ span(A)] = Pr[∃v ∈ Zλ|I|p : α(i) = Av] = negl(λ).
Proof. Both properties above are efficiently-checkable given (S1, . . . , Sρ,α), the matrix A, andthe set of indices I. It suffices to show that both hold with overwhelming probability when(S1, . . . , Sρ,α)
r← T ρλ,` × Zρ`p . The claim then follows by PRG security. We show each propertybelow:
• Since αr← Zρ`p , αi = 0 with probability 1/p = negl(λ).
• Let A be the matrix defined above, and let aTj ∈ Zλ|I|p denote the jth row of A. Let
n = rank(A) ≤ λ |I| ≤ λρ = `/3. This means that there exists a collection of indicesj1, . . . , jn ∈ [`] such that the collection {aT
j1, . . . , aT
jn} is linearly independent and span(AT) =
span({aTj1, . . . , aT
jn}). By construction, A only depends on A and the sets Si where i ∈ I.
This means that we can sample the sets Si where i /∈ I after fixing A and the set of indices{j1, . . . , jn}. In this case, since Si
r← Tλ,`,
Pr[Sir← Tλ,` : Si ⊆ {j1, . . . , jn}] ≤
(nλ
)(`λ
) ≤ (ne`
)λ= negl(λ),
since n ≤ `/3. Thus, for any i ∈ [ρ]\I, there exists an index j∗ ∈ Si where j∗ /∈ {j1, . . . , jn} withoverwhelming probability. In addition, since aT
j? ∈ span(AT), there exist scalars β1, . . . , βn ∈Zp such that aT
j∗ =∑
τ∈[n] βτ aTjτ
. This means that if there exists v ∈ Zλ|I|p such that α(i) = Av,then
α(i)j∗ = aT
j∗v =∑τ∈[n]
βτ aTjτv =
∑τ∈[n]
βτα(i)jτ.
Since j∗ ∈ Si, by construction, α(i)j∗ = αj∗+`·(i−1), which is uniform over Zp and independent
of βτ and α(i)jτ
for all τ ∈ [n]. Thus, over the randomness of α, for any i ∈ [ρ] \ I
Pr[∃v ∈ Zλ|I|p : α(i) = Av] = Pr
α(i)j∗ =
∑τ∈[n]
βτα(i)jτ
=1
p= negl(λ).
We will also use the following simple fact on linear independence.
Claim C.12. Take any matrix A ∈ Zm×np and any vector v ∈ Zmp where v /∈ span(A). Then, forany γ ∈ Zp, the following distributions are identical:
{t r← Zmp : (A,v, γ, tTA)} ≡ {t r← {t ∈ Zmp | tTv = γ} : (A,v, γ, tTA)}
Proof. Follows immediately from the fact that v is not in the span of A.
Lemma C.13. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
52
Proof. Since S1(1λ, 1ρ) samples crs using the same procedure as Setup(1λ, 1ρ, hiding), the outputdistributions of Hyb0 and Hyb1 are identically distributed.
Lemma C.14. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. With overwhelming probability, W is full-rank and invertible. In this case, the distributionof y in Hyb1 and Hyb2 is identical.
Lemma C.15. If G is a secure PRG, then for all adversaries A, Hyb2(A)s≈ Hyb3(A).
Proof. These two distributions are identical provided that for each i ∈ [ρ], there is at least one indexj ∈ Si where αj 6= 0. In this case, both t and t′ are uniformly random over Z`′p and Zρp, respectively,subject to the condition that t′i =
∑j∈Si αjtj for all i ∈ [ρ]. By Claim C.11, with overwhelming
probability, αj 6= 0 for any j ∈ [`′]. Since ρ = poly(λ), the claim follows by a union bound.
Lemma C.16. If H is statistically uniform, then for all adversaries A, Hyb3(A)s≈ Hyb4(A).
Proof. In Hyb3, the challenger samples t′ir← Zp and sets ri ← H(t′i) while, in Hyb4, the challenger
samples rir← {0, 1} and sets t′i
r← Zp subject to H(t′i) = ri. These two distributions are statisticallyindistinguishable by the argument from the proof of Lemma C.6.
Lemma C.17. If G is a secure PRG, then for all adversaries A, Hyb4(A)s≈ Hyb5(A).
Proof. The challenger samples crs identically in the two experiments, so it suffices to consider its
responses to the challenge queries. Let W ∈ Z(`′+k)×(`′+k)p be the matrix of components in the CRS
and let pk = (gz1 , . . . , gz`′ ) be the adversary’s chosen public key. As above, let Z ∈ Z(`′+k)×`′p be
the matrix whose columns are z1, . . . , z`′ . Now, on each challenge query, in both Hyb4 and Hyb5,
the challenger starts by sending the adversary a random string rr← {0, 1}ρ, and the adversary
replies with a set I ⊆ [ρ]. The challenger then replies with a commitment σ = (s, gcT) and a set
of proofs {πi}i∈I , where πi = {(j, gtj , guj )}j∈Si . To complete the proof, it suffices to show thatthe challenger’s response is statistically indistinguishable in the two experiments. To facilitate theanalysis, we first define the following variables:
• For i ∈ [ρ], let t(i) ∈ Z`p be the vector where t(i)j = tj+`·(i−1). In other words, tT =
[ (t(1))T | · · · | (t(ρ))T ] ∈ Z`′p .
• For i ∈ [ρ], define α(i) ∈ Z`p as follows:
α(i)j =
{αj+`·(i−1) if j ∈ Si0 otherwise.
By construction, in both experiments, t′i =∑
j∈[`] α(i)j t
(i)j .
We now consider the different components in the two experiments:
• The string r is independently and uniformly sampled from {0, 1}ρ in both experiments.
• The seed s is independently and uniformly sampled from {0, 1}κ in both experiments, so theseed s, the sets S1, . . . , Sρ, and the vector α are identically distributed in the two experiments.
53
• The commitment vector c is independently and uniformly sampled from Zkp in both experiments.
• For i ∈ I, t′i is sampled identically in the two experiments (namely, t′ir← Zp subject to
H(gt′i) = ri). Correspondingly, the vectors t(i) for all i ∈ I are identically distributed.
It suffices to show that in Hyb4 and Hyb5, the components {uj}j∈Si for all i ∈ I are statisticallyindistinguishable (given all of the other components in the adversary’s view). In both experiments,
uT = yTZ = [ tT | cT ] ·W−1Z.
Let
A = W−1Z =
A(1)
...
A(ρ)
A′
∈ Z(`′+k)×`′,p
where A(i) ∈ Z`×`′p and A′ ∈ Zk×`′p . This is a fixed matrix (determined by the CRS and theadversary’s choice of public key). Moreover, the adversary’s choice of indices i ∈ I is fixed beforethe challenger samples the commitment and the openings. Let
J = {j ∈ Si for some i ∈ I | j ∈ [`′]}
be the set of indices that appear in some set Si for i ∈ I. Let A ∈ Z(`′+k)×λ|I|p be the submatrix
of A formed by taking only the columns of A indexed by the set J . In particular, the elements of[ tT | cT ] · A precisely coincide with
⋃i∈I{uj}j∈Si , which are the elements in the adversary’s view.
Now, write A as follows:
A =
A(1)
...
A(ρ)
A′
,where A(i) ∈ Z`×λ|I|p and A′ ∈ Zk×λ|I|p . With this, we can write
[ tT | cT ] · A =∑i∈[ρ]
((t(i))TA(i)
)+ cTA′ ∈ Zλ|I|p (C.2)
Since c and all of the t(i) are sampled independently, we can consider each summand individually:
• If i ∈ I, then as argued above, t(i) is identically distributed in Hyb4 and Hyb5. Since A is afixed matrix (independent of t), the products (t(i))TA(i) are also identically distributed.
• If i /∈ I, then the t(i) in the two experiments are sampled from different distributions. In Hyb4,
t(i) is uniform over Z`p subject to∑
j∈[`] α(i)j t
(i)j = t′i while, in Hyb5, t(i) is uniform over Z`p.
Since i /∈ I and A(i) ∈ Z`×`′p is a fixed matrix, we can appeal to Claim C.11 to conclude that
the probability that α(i) ∈ span(A(i)
)is negligible. By Claim C.12, this means that with
overwhelming probability, the distribution of(t(i))T
A(i) is statistically indistinguishable in
Hyb4 (where t(i) is uniform subject to a linear constraint α(i) /∈ span(A(i))) and Hyb5 (wheret(i) is uniform).
54
• As argued above, c is identically distributed in the two experiments (and independent of A).Thus, cTA′ is identically distributed in the two experiments.
Since every term in Eq. (C.2) is either statistically indistinguishable or identically distributed in thetwo experiments, we conclude that [ tT | cT ] · A is also statistically indistinguishable. Based onthe above analysis, the adversary’s view in each challenge query is statistically indistinguishable inHyb4 and Hyb5. Since the adversary makes at most a polynomial number of challenge queries, theclaim follows by a hybrid argument.
Since each consecutive pair of hybrid experiments is statistically indistinguishable (or identicallydistributed), the claim follows.
D Analysis of Constructions from QR (Section 5)
In this section, we provide the analysis of the dual-mode hidden-bits generators from Section 5.
D.1 Analysis of Construction 5.3 (Dual-Mode HBG from QR)
In this section, we give the proofs for the correctness and security theorems (Theorems 5.4 to 5.8)for the dual-mode hidden-bits generator from QR (Construction 5.3).
Proof of Theorem 5.4 (Correctness). Fix λ ∈ N, a polynomial ρ = ρ(λ), an index i ∈ [ρ],and a mode mode ∈ {binding, hiding}. Let crs ← Setup(1λ, 1ρ,mode), (pk, sk) ← KeyGen(crs), and(σ, r, {πi}i∈[ρ])← GenBits(crs, pk). By construction, crs = (N, g, h,H, gv, gs1vhw1 , . . . , gsρvhwρ), forsome vectors v ∈ Zρp′q′ and w1, . . . , wρ ∈ Zρ2. Then sk = {aτ , bτ,i}τ∈[T ],i∈[ρ] and
pk = {zτ,i}τ∈[T ],i∈[ρ] = {(gsivhwi)aτ (gv)bτ,i}τ∈[T ],i∈[ρ] = {g(aτ si+bτ,i)vhaτ wi}τ∈[T ],i∈[ρ].
Next, we have that σ = c =∏j∈[ρ] g
vjyj = gyTv, ri = LEQ(ti, tih) and πi = (ti, ui), where
ti =∏j∈[ρ]
(gsivjhwi,j )yj = gsiyTvhy
Twi ,
and ui = H(u1,i, . . . , uT,i) where
uτ,i =∏j∈[ρ]
(g(aτ si+bτ,ivj)haτ wi,j
)yj = g(aτ si+bτ,i)yTvhaτy
Twi
for all τ ∈ [T ]. Consider now the behavior of Verify(crs, sk, σ, i, ri, πi). By construction, ri =LEQ(ti, tih), so it suffices to check that Eq. (5.1) holds. By construction, for each τ ∈ [T ]
taττ c
bτ,i = (gaτ siyTvhaτy
Twi)(gbτ,iyTv) = g(aτ si+bτ,i)y
TvhaτyTwi = uτ,i.
Thus, Eq. (5.1) is equivalent to checking whether ui = H(u1,i, . . . , uT,i), which holds by construction,and Verify outputs 1.
Proof of Theorem 5.5 (Succinctness). The size of the commitment in Construction 5.3 consistsof a single element in Z∗N , which has length dlogNe = poly(λ).
55
Proof of Theorem 5.6 (CRS Indistinguishability). The proof of Theorem 5.6 follows viathe following claim from [BG10]:
Claim D.1 ([BG10, §5]). Suppose a safe prime product modulus sampler SampleModulus satisfiesthe QR assumption. Let h = −1. Then, for all polynomials ρ = ρ(λ), all fixed vectors w ∈ {0, 1}ρ,and all efficient adversaries A, if we sample (N, p, q)← SampleModulus(1λ), v
r← Zρp′q′, sr← Zp′q′,
where p = 2p′ + 1 and q = 2q′ + 1, we have that∣∣∣Pr[A(N, g, gv, gsv) = 1]− Pr[A(N, g, gv, gsvhw) = 1]∣∣∣ = negl(λ),
where g is a generator of QRN .
First, Claim D.1 also holds if we instead sample vr← ZρbN/2c and s
r← ZbN/2c since the statistical
distance between {r r← ZbN/2c : r mod p′q′} and Uniform(Zp′q′) is
∆({r r← ZbN/2c : r mod p′q′},Uniform(Zp′q′)) =(N − 1)/2 mod p′q′
(N − 1)/2=
p′ + q′
2p′q′ + p′ + q′= negl(λ),
since 1/p′, 1/q′ = negl(λ). To complete the proof, we use a hybrid argument, where for j ∈ {0, . . . , ρ},Hybj is defined as follows:
• Hybj : Sample (N, p, q)← SampleModulus(1λ), vr← ZρbN/2c, s1, . . . , sρ
r← ZbN/2c, Hr← H, and
let g be a generator of QRN . Output crs = (N, g, h,H, gv, gs1v, . . . , gsiv, gsi+1vhei+1 , . . . , gsρvheρ).
By construction, Hyb0 implements Setup(1λ, 1ρ, hiding) and Hybρ implements Setup(1λ, 1ρ, binding).We can appeal to Claim D.1 (where v and s are sampled from ZρbN/2c and ZbN/2c, respectively)
to argue that each pair of adjacent hybrids Hybj−1 and Hybj for j ∈ [ρ] are computationally
indistinguishable. To see this, set w = ej in Claim D.1, and let (N, g, gv, gsvhw′) be the challenge.
We simulate a CRS by sampling s1, . . . , sj−1, sj+1, . . . , sρr← ZbN/2c, H
r← H and outputting
(N, g, h,H, gv, gs1v, . . . , gsj−1v, gsvhw′, gsj+1vhej+1 , . . . , gsρvheρ).
If w′ = 0, then this is precisely the distribution Hybj and if w′ = ej , then this is the distributionHybj−1. Thus, by Claim D.1, the outputs of Hybj−1 and Hybj are computationally indistinguishablefor all j ∈ [ρ]. Since ρ = poly(λ), Theorem 5.6 follows by a hybrid argument.
Proof of Theorem 5.7 (Statistical Binding). Recall that in binding mode, the commonreference string is given by
crs = (N, g, h,H, gv, gs1v, . . . , gsρv).
We define the (inefficient) Open algorithm as follows:
• Open(crs, σ)→ r: On input a crs = (N, g, h,H, gv, gs1v, . . . , gsρv) and a commitment σ = gc
(outputting ⊥ if the components do not have this form), the open algorithm recovers v,s1, . . . , sρ, and c. Then, it computes ri ← LEQ(gcsi , gcsih) for each i ∈ [ρ], and outputs r.
To complete the proof, we use a hybrid argument:
56
• Hyb0: This is the real soundness experiment. The challenger samples crs← Setup(1λ, 1ρ, binding)and (pk, sk)← KeyGen(crs) and gives (crs, pk) to A. Here,
crs = (N, g, h,H, gv, gs1v, . . . , gsρv) and pk = {g(aτ si+bτ,i)v}τ∈[T ],i∈[ρ].
The adversary can make queries to the verification oracle, and on each query (σ, i, ri, πi), thechallenger replies with Verify(crs, sk, σ, i, ri, πi). At the end of the game, the adversary outputsa tuple (σ∗, i∗, r∗, π∗) and the output of the experiment is 1 if r∗ 6= ri where r ← Open(crs, σ∗)and Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1.
• Hyb1: Same as Hyb0 except the challenger samples the scalars s1, . . . , sρ and the secret keycomponents aτ , bτ,i uniformly at random from Z2p′q′ (instead of ZbN/2c) for all τ ∈ [T ] andi ∈ [ρ].
• Hyb2: Same as Hyb1 except the challenger computes Verify(crs, sk, σ, i, ri, πi) using the following
modified procedure. First, parse σ = gchc and πi = (gtihti , ui), for some c, ti ∈ Zp′q′ , c, ti ∈ Z2,and ui ∈ {0, 1}λ. Then, the challenger does the following:
– If ri 6= LEQ(gtihti , gtihti+1), output 0.
– If c 6= 0 or ti 6= 0, then output 0.
– If ti 6= sic, then output 0.
– Otherwise, take any y ∈ Zρp′q′ such that yTv = c. Write the public key as pk =
{gzτ,i}τ∈[T ],i∈[ρ] and output 1 if ui = H(gy
Tz1,i , . . . , gyTzT,i
). Otherwise (or if no such y
exists), output 0.
Importantly, the challenger’s responses to the verification queries in Hyb2 depend only on thepublic components (i.e., crs and pk).
For an adversary A, we write Hybi(A) to denote the output distribution of an execution of experimentHybi with adversary A. We now show that the output distribution of each adjacent pair of hybridexperiments is statistically indistinguishable.
Lemma D.2. For all adversaries A, Hyb0(A)s≈ Hyb1(A).
Proof. The statistical distance between Uniform(ZbN/2c) and Uniform(Z2p′q′) satisfies
∆(Uniform(ZbN/2c),Uniform(Z2p′q′)) = 1− 2p′q′
bN/2c= 1− 2p′q′
2p′q′ + p′ + q′= negl(λ), (D.1)
since 1/p′, 1/q′ = negl(λ). Since ρ, T = poly(λ), the claim follows by a union bound.
Lemma D.3. If H is pairwise independent, then for all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. In Hyb1 and Hyb2, the challenger evaluates Verify at most Q+ 1 times where Q = poly(λ)is the bound on the number of queries the adversary makes. For j ∈ {0, . . . , Q + 1}, let Hyb1,jdenote the experiment where the first j queries are handling according to the specification in Hyb2while the remaining queries are handling according to the specification in Hyb1. By construction,Hyb1 ≡ Hyb1,0 and Hyb2 ≡ Hyb1,Q+1. Consider Hyb1,j−1 and Hyb1,j for j ∈ [Q + 1]. These two
57
experiments only differ in how the challenger computes the output for the jth Verify call. Moreover,by construction of Hyb1,j−1 and Hyb1,j , all of the adversary’s queries prior to the jth query arehandled according to the specification in Hyb2, which depend only on the public components crs
and pk. Let (σ, i, ri, πi) be the arguments to the jth Verify call. Write σ = gchc and πi = (gtihti , ui)for c, ti ∈ Zp′q′ , c, ti ∈ Z2, and ui ∈ {0, 1}λ. We consider each case individually:
• Suppose ri 6= LEQ(gtihti , gtihti+1). Then, the output in both experiments is 0.
• Suppose c 6= 0 or ti 6= 0. We argue that with overwhelming probability, the output in Hyb1,j−1is 0. For the output to be 1 in Hyb1,j−1, it must be the case that ui = H(ωi) where
ωi =((gtihti)a1(gchc)b1,i , . . . , (gtihti)aT (gchc)bT,i
)∈ JTN . (D.2)
In both Hyb1 and Hyb2, the public parameters are independent of the values of aτ mod 2 andbτ,i mod 2 for all τ ∈ [T ]. This follows from the fact that aτ , bτ,i ∈ Z2p′q′ , and the adversary onlysees elements g(aτ si+bτ,i)v, where g generates a group of order p′q′ (and gcd(p′q′, 2) = 1). Next,since aτ and bτ,i are uniform over Z2p′q′ , the values aτ mod 2 and bτ,i mod 2 are distributeduniformly and independently of the rest of the public parameters. Since the responses to allof the adversary’s queries prior to its jth query only depend on the public parameters, theconditional distribution of aτ mod 2 and bτ,i mod 2 given the adversary’s view up to the timeof its jth query is uniform and independently random. Since at least one of c and ti is non-zero,this means that the value of aτ ti + bτ,ic mod 2 is independently and uniformly random overZ2, and correspondingly, the conditional min-entropy of the vector ωi from Eq. (D.2) is atleast T = 2(λ+ dlogNe). We now appeal to Lemma 2.6 to argue that the output distributionof H(ωi) is (3p′q′ε)-close to uniform over {0, 1}λ where
ε = 2−(T−λ)/2 = 2−λ/2−dlogNe,
since the adversary can choose the values of c, ti ∈ Zp′q′ and (c, ti) ∈ Z22 \ {0} after seeing the
hash function H. Since 3p′q′ < N , 3p′q′ε < 2−λ/2 = negl(λ), so we conclude that conditionedon the adversary’s view, the distribution of H(ωi) in Hyb1,j−1 is statistically close to uniform
over {0, 1}λ. The probability that ui = H(ωi) is then negligibly close to 1/2λ, and thechallenger outputs 0 with overwhelming probability.
• Suppose that ti 6= sic ∈ Zp′q′ . We only need to consider the case where c = 0 and ti = 0. Weshow that in this case, the output in Hyb1,j−1 is 0 with overwhelming probability. For theoutput to be 1 in Hyb1,j−1 in this case, we require that ui = H(ωi) where
ωi =(ga1ti+b1,ic, . . . , gaT ti+bT,ic
)∈ QRTN . (D.3)
The only components in crs and pk that depend on aτ and bτ,i for τ ∈ [T ] are the public-keycomponents gaτ siv+bτ,iv. Let bτ ∈ Zρ2p′q′ be the vector whose components are bτ,1, . . . , bτ,ρ,
and let s ∈ Zρ2p′q′ be the vector whose components are s1, . . . , sρ. The public parameters pkcan then be expressed as a function of
Zτ = [ s | Iρ ] ·[aτbτ
]· vT ∈ Zρ×ρ2p′q′ ,
58
where Iρ ∈ Zρ×ρ2p′q′ is the identity matrix. Namely, the components of pk consist of gZτ forall τ ∈ [T ]. Since ti 6= sic ∈ Zp′q′ , by the Chinese remainder theorem, it must be the casethat ti 6= sic (mod p′) or ti 6= sic (mod q′). Without loss of generality, suppose that ti 6= sic(mod p′). In this case the vector [ ti | c ·ei ] is linearly independent of the rows of the matrix [ s(mod p′) | Iρ ]. Since aτ ,bτ are uniform over Z2p′q′ , the components aτ mod p′ and bτ mod p′
are uniform over Zp′ . By linear independence over Zp′ , the value of aτ ti + bτ,ic (mod p′) isuniformly random over Zp′ even given Zτ for all τ ∈ [T ]. As such, the conditional min-entropyof the vector ωi from Eq. (D.3) is at least T log p′ > T . By an analogous argument as in theprevious case, we can now appeal to Lemma 2.6 and conclude that the output distributionof H(ωi) is statistically close to uniform over {0, 1}λ, in which case the probability thatui = H(ωi) is negligible.
• The only remaining case is when c = 0 = ti, ti = sic, and ri = LEQ(gti , gtih). In this case,
(gti)aτ (gc)bτ,i = g(aτ si+bτ,i)c for all τ ∈ [T ]. Since vr← ZbN/2c, with overwhelming probability,
there will be some component that is invertible modulo p′q′. If so, there always exists y ∈ Zp′q′such that yTv = c. Then, in Hyb1,j−1, the challenger outputs 1 if and only if
ui = H(g(a1si+b1,i)c, . . . , g(aT si+bT,i)c
)= H
(g(a1si+b1,i)y
Tv, . . . , g(aT si+bT,i)yTv)
= H(gy
Tz1 , . . . , gyTzT ),
where zτ,i = (aτsi + bτ,i)v are the components in the public key. This is precisely theverification relation in Hyb1,j .
In each case, we see that the jth call to Verify is implemented correctly with overwhelming probabilityin Hyb1,j−1 and Hyb1,j .
To complete the proof, it suffices to show that for all adversaries A, the output of Hyb2(A) is 0 withoverwhelming probability. Let (σ∗, i∗, r∗, π∗) be the adversary’s output in Hyb2. The output of Hyb2is 1 only if Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1 and ri∗ 6= r∗ where r ← Open(crs, σ∗). Write σ∗ = gchc
and π∗ = (gti∗hti∗ , ui∗) In Hyb2, if Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1, it must be the case that c = 0,ti∗ = 0, ti∗ = si∗c, and
r∗ = LEQ(gti∗hti∗ , gti∗hti∗+1
)= LEQ
(gsi∗c, gsi∗ch
).
Moreover, since c = 0, ri∗ = LEQ(gcsi∗ , gcsi∗h) = r∗. In this case, the output in Hyb2 is 0, and thetheorem follows.
Proof of Theorem 5.8 (Statistical Simulation). We construct a simulator S = (S1,S2) asfollows:
• S1(1λ, 1ρ)→ (stS , crs, pk, sk): Sample (N, p, q)← SampleModulus(1λ), where p = 2p′ + 1 and
q = 2q′ + 1. Let g be a generator of QRN and h = −1. Sample a vector vr← ZρbN/2c, scalars
s1, . . . , sρr← ZbN/2c, and a hash functionH
r← H. Set crs = (N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ).
Sample aτ , bτ,ir← ZbN/2c for all τ ∈ [T ] and i ∈ [ρ]. Output crs, pk = {g(aτ si+bτ,i)vhaτei}τ∈[T ],i∈[ρ],
sk = {aτ , bτ,i}τ∈[T ],i∈[ρ], and stS = (crs, pk, p′, q′, s1, . . . , sρ).
59
• S2(stS , I, rI)→ (σ, {πi}i∈I): On input stS = (crs, pk, p′, q′, s1, . . . , sρ) where
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ
)and pk = {gzτ,ihzτ,i}τ∈[T ],i∈[ρ],
a set of indices I ⊆ [ρ], and a bitstring rI ∈ {0, 1}|I|, the simulator samples y′r← Zρp′q′ . Then,
for each i ∈ [ρ], it samples y′i ∈ Z2 as follows:
– If i /∈ I, sample y′ir← Z2.
– If i ∈ I, set yi ∈ Z2 to be the unique value where ri = LEQ(gsi(y′)Tvhyi , gsi(y
′)Tvhyi+1).
Define y ∈ Zρ2p′q′ to be the vector where y = y′ (mod p′q′) and y = y′ (mod 2). The simulator
then sets gtigti = gsiyTvhyi and
ui = H(gy
Tz1,ihyTz1,i , . . . , gy
TzT,ihyTzT,i
).
Output σ = gyTv and {πi}i∈I where πi = (gtihti , ui).
To show that ExptHide[A,S, 0] and ExptHide[A,S, 1] are statistically indistinguishable, we use ahybrid argument:
• Hyb0: This is the experiment ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs← Setup(1λ, 1ρ, hiding) and (pk, sk)← KeyGen(crs). For each challenge query, the challengerfirst samples (σ, r, {πi}i∈[ρ]) ← GenBits(crs) and gives r to A before receiving a set I ⊆ [ρ]chosen by A. It then replies with σ and {πi}i∈I .
More precisely, in this experiment,
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ
)and pk = {gzτ,ihzτ,i}τ∈[T ],i∈[ρ],
where zτ,i = (aτsi + bτ,i)v and zτ,i = aτei. On each challenge query, the challenger samples
yr← ZbN/2c and computes
σ = gyTv and gtihti = gsiy
TvhyTei and guτ,ihuτ,i = gy
Tzτ,ihyTzτ,i ,
for all τ ∈ [T ] and i ∈ [ρ]. The random bits ri satisfy ri = LEQ(gtihti , gtihti+1). Finally, the
proofs πi are given by πi = (gtihti , ui), where ui = H(gu1,ihu1,i , . . . , guT,ihuT,i).
• Hyb1: Same as Hyb0, except that the challenger computes (stS , crs, pk, sk)← S1(1λ, 1ρ) and
uses crs, pk, and sk instead of crs, pk, and sk, respectively.
• Hyb2: Same as Hyb1, except when responding to the challenge queries, the challenger samples
yr← Zρ2p′q′ instead of y
r← ZρbN/2c.
• Hyb3: Same as Hyb2, except when responding to the challenge queries, the challenger first
samples y′r← Zρp′q′ and y
r← Zρ2. It defines y ∈ Zρ2p′q′ to be the vector where y = y′ (mod p′q′)and y = y′ (mod 2).
60
• Hyb4: Same as Hyb3, except when responding to the challenge queries, the challenger first
samples rr← {0, 1}ρ. Then it samples y′
r← Zρp′q′ . For each i ∈ [ρ], it sets y′i ∈ Z2 to be
the unique value where ri = LEQ(gsi(y′)Tvhy
′i , gsi(y
′)Tvhy′i+1). Finally it sets y ∈ Zρ2p′q′ to be
the vector where y = y′ (mod p′q′) and y = y′ (mod 2). The remaining components areconstructed as before.
• Hyb5: Same as Hyb4, except when responding to the challenge queries, the challengersamples y′ ∈ Zρ2 after it receives the challenge set. In particular, on each query, af-ter the challenger receives the set I ⊆ [ρ], it sets y′i ∈ Z2 to the unique value where
ri = LEQ(gsi(y′)Tvhy
′i , gsi(y
′)Tvhy′i+1) if i ∈ I, and otherwise, it samples y′i
r← Z2. All re-maining components are constructed as in Hyb4. This is the distribution in ExptHide[A,S, 1].
For an adversary A, we write Hybi(A) to denote the output distribution of an execution of experimentHybi with adversary A. We now show that the output distribution of each adjacent pair of hybridexperiments is statistically indistinguishable.
Lemma D.4. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
Proof. Since S1(1λ, 1ρ) samples crs, pk, and sk using the same procedure as Setup and KeyGen, theoutput distributions of hybrids Hyb0 and Hyb1 are identically distributed.
Lemma D.5. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. The only difference between Hyb1 and Hyb2 is that the challenger samples y uniformly atrandom from Zρ2p′q′ instead of ZρbN/2c when answering challenge queries. Since the distributions
Uniform(ZbN/2c) and Uniform(Z2p′q′) are statistically indistinguishable (see Eq. (D.1)), the claimfollows by a union bound (since ρ = poly(λ) and A makes a polynomial number of queries).
Lemma D.6. For all adversaries A, Hyb2(A) ≡ Hyb3(A).
Proof. The two distribution only differ in how y is sampled. In Hyb2, y is uniform over Zρ2p′q′ while in
Hyb3, we sample y′r← Zp′q′ and y′
r← Zρ2 and define y so that y = y′ (mod p′q′) and y = y′ (mod 2).These distributions are identical by the Chinese remainder theorem (since gcd(p′q′, 2) = 1).
Lemma D.7. For all adversaries A, Hyb3(A) ≡ Hyb4(A).
Proof. First, y′ is sampled identically in the two distributions. It suffices to show that once we fixy′, there is a one-to-one correspondence between the value of y′ ∈ Zρ2 and the value of r. Since g
generates a subgroup of order p′q′, and y = y′ (mod p′q′), we have that in Hyb3, gsiy
Tv = gsi(y′)Tv.
Similarly, since h has order 2, hyTei = hyi = hy
′i . This means that the bit ri satisfies
ri = LEQ(gtihti , gtihti+1) = LEQ(gsi(y′)Tvhy
′i , gsi(y
′)Tvhy′i+1).
By construction of LEQ and the fact that h generates a subgroup of order 2, this means that
LEQ(gsi(y′)Tvh(1−y
′i), gsi(y
′)Tvh(1−y′i)+1) = 1− LEQ(gsi(y
′)Tvhy′i , gsi(y
′)Tvhy′i+1) = 1− ri,
and so we see that there is a one-to-one correspondence between y′ ∈ Zρ2 and the bitstring r ∈ {0, 1}ρ.Both Hyb3 and Hyb4 enforce this correspondence, and thus, are identically distributed.
61
Lemma D.8. For all adversaries A, Hyb4(A) ≡ Hyb5(A).
Proof. First, the challenger generates the common reference string crs and the public key pkidentically in the two experiments. It suffices to argue that the challenger’s response to theadversary’s challenge query is identically distributed in Hyb4 and Hyb5. In particular, on eachchallenge query, after the adversary outputs a set I ⊆ [ρ], the challenger replies with a commitment
σ = gyTv and a collection of proofs {πi}i∈I where πi = (gtihti , ui). We show that the commitment
σ and the components ti, ti, and ui are identically distributed in the two experiments:
• In Hyb4 and Hyb5, the challenger samples y′r← Zρp′q′ . Since g generates a subgroup of order p′q′
and y = y′ (mod p′q′), it follows that σ = gyTv = g(y
′)Tv, and so σ is identically distributedin the two experiments.
• In Hyb4 and Hyb5, for all i ∈ I, the challenger samples y′ir← Z2 conditioned on ri =
LEQ(gsi(y′)Tvhyi , gsi(y
′)Tvhyi+1). Thus, the variables y′i for i ∈ I in the two experiments areidentically distributed. In both experiments, it then defines
gtigti = gsiyTvhy
Tei = gsi(y′)Tvhy
′i ,
and so all of the gtihti terms for i ∈ I are identically distributed.
• In Hyb4 and Hyb5, ui = H(gu1,ihu1,i , . . . , guT,ihuT,i) where
guτ,ihuτ,i = gyTzτ,ihy
Tzτ,i = g(y′)Tzτ,ihaτ y
′i , (D.4)
using the fact that g generates a group of order p′q′, h generates a group of order 2 andzτ,i = aτei. Since all of the components in Eq. (D.4) are identically distributed for all i ∈ Iand τ ∈ [T ], we conclude that the components ui for i ∈ I are also identically distributed.
Theorem 5.8 now follows by a hybrid argument.
D.2 Analysis of Construction 5.9 (Dual-Mode (Malicious) HBG from QR)
In this section, we give the proofs for the correctness and security theorems (Theorems 5.10 to 5.14)for the dual-mode hidden-bits generator with malicious security from QR (Construction 5.9). Theanalysis proceeds very similarly to that of the basic QR scheme (Construction 5.3) in Appendix D.1.
Proof of Theorem 5.10 (Correctness). Follows by an analogous argument as the proof ofTheorem 5.4.
Proof of Theorem 5.11 (Succinctness). The commitment σ in Construction 5.9 consists of aPRG seed s ∈ {0, 1}κ where κ = poly(λ) and an element of ZN , which has size 2 dlogNe = poly(λ).Thus, |σ| = poly(λ).
Proof of Theorem 5.12 (CRS Indistinguishability). Same as the proof of Theorem 5.6.
62
Proof of Theorem 5.13 (Statistical Binding). Follows by a similar argument as in the proofof Theorem 5.7. Specifically, we first show that we can substitute the real verification algorithmVerify with the following algorithm. On input (σ, i, ri, πi), the challenger does the following:
• Write σ = (s, c) and πi = {(j, tj , uj)}j∈S for an implicitly defined set S. Let (S1, . . . , Sρ,α)←G(s), and define the shifted set Si ← {j + ` · (i− 1) | j ∈ Si}. If S 6= Si, output 0.
• If c 6= gc for some c ∈ Zp′q′ , output 0.
• If tj 6= gcsj for any j ∈ Si, output 0. Here, sj ∈ Zp′q′ is sampled by Setup and used to constructcrs = (N, g, h, gv, gs1v, . . . , gs`′v)
• Compute t′i ←
∏j∈Si t
αjj and output 0 if ri 6= LEQ(t
′i, t′ih).
• Take any y ∈ Z`′p′q′ such that yTv = c, and write the public key as pk = {gzτ,i}τ∈[T ],i∈[`′]. If
uj 6= H(gyTz1,j , . . . , gy
TzT,j ) for some j ∈ Si, or if no such y exists, then output 0. If all checkspass, output 1.
Using the same argument as the proof of Theorem 5.7 (applied to each individual component σ, tj ,and uj), and appealing to a union bound, we can conclude that the output of the real verificationalgorithm and this modified verification algorithm are identical with overwhelming probability.Similarly, as in the proof of Theorem 5.7, no adversary is able to win the binding game with respectto the modified verification algorithm, and the claim follows.
Proof of Theorem 5.14 (Statistical Hiding). We construct a simulator S = (S1,S2) as follows:
• S1(1λ, 1ρ) → (stS , crs): Sample (N, p, q) ← SampleModulus(1λ), where p = 2p′ + 1 andq = 2q′ + 1. Let g be a generator of QRN and h = −1 be the generator of H = {±1}. Sample
a vector vr← Z`′bN/2c, scalars s1, . . . , s`′
r← ZbN/2c, and a hash function Hr← H. Output
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′
).
and stS = (crs, p′, q′, s1, . . . , s`′).
• S2(stS , pk, I, rI)→ (σ, {πi}i∈I): On input stS = (crs, p′, q′, s1, . . . , s`′) where
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′
),
a public key pk = {zτ,i}τ∈[T ],i∈[`′], a set of indices I ⊆ [ρ], and a bitstring rI ∈ {0, 1}|I|, thesimulator does the following:
1. Check that zτ,i ∈ J`′N for all τ ∈ [T ] and i ∈ [`′]. Output ⊥ if this is not the case.
2. Sample a seed sr← {0, 1}κ and compute (S1, . . . , Sρ,α)← G(s), where α ∈ Zρ`2 . For each
i ∈ I, it computes the shifted sets Si ← {j + ` · (i− 1) | j ∈ Si}.3. Sample y′
r← Z`′p′q′ . Then, it samples a vector y′ ∈ Z`′2 as follows:
– For each i ∈ I, let ωi ←∑
j∈Si αjsj (mod p′q′). Then, set ωi ∈ Z2 to be the unique
value where ri = LEQ(gωi(y′)Tvhωi , gωi(y
′)Tvhωi+1) Them, for each j ∈ Si sample
y′jr← Z2 subject to the constraint that
∑j∈Si αj y
′j = ωi.
63
– For all of the remaining indices j ∈ [`′] \⋃i∈I Si, sample y′j
r← Z2.
Define y ∈ Z`′2p′q′ to be the vector where y = y′ (mod p′q′) and y = y′ (mod 2).
4. Next, the simulator computes σ = (s, gyTv) and tj = gsjy
TvhyTej for each j ∈ Si. Next,
for each j ∈ Si and τ ∈ [T ], compute uτ,j ←∏k∈[`′] z
ykτ,j,k, and set uj ← H(u1,j , . . . , uT,j).
It sets πi = {(j, tj , uj)}j∈Si .5. Output σ and {πi}i∈I .
We now use a hybrid argument to show that ExptHide[A, 0] and ExptHide[A, 1] are statisticallyindistinguishable:
• Hyb0: This is the experiment ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs← Setup(1λ, 1ρ, hiding), and gives crs to A. The adversary A replies with a public key pk.For each challenge query, the challenger samples (σ, r, {πi}i∈[ρ])← GenBits(crs, pk) and givesr to A before receiving a set I ⊆ [ρ] chosen by A. It then replies with σ and {πi}i∈I .
• Hyb1: This experiment is identical to Hyb0, except that the challenger computes (stS , crs)←S1(1λ, 1ρ) and uses crs in place of crs. Everything else proceeds identically to Hyb0.
Specifically, in this experiment, the challenger samples (N, p, q), H, v, s1, . . . , s`′ as specifiedby S1 and sets crs = (N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′ ). It gives crs to A to receive a publickey pk = {zτ,i}τ∈[T ],i∈[`′]. On a challenge query, the challenger proceeds as follows:
1. Check that zτ,i ∈ J`′N for all τ ∈ [T ] and i ∈ [`′], and output ⊥ otherwise.
2. Sample sr← {0, 1}κ and compute (S1, . . . , Sρ,α) ← G(s). For each i ∈ [ρ], let Si ←
{j + ` · (i− 1) | j ∈ Si}.3. Sample y
r← Z`′bN/2c and compute for each j ∈ [`′] and τ ∈ [T ],
c← gyTv and tj ← gsjy
TvhyTej and uτ,j ←
∏k∈[`′]
(zτ,j,k)yk .
Then, for each j ∈ [`′], compute uj ← H(u1,j , . . . , uT,j).
4. For each i ∈ [ρ], compute t′i ←
∏j∈Si t
αjj and ri ← LEQ(t
′i, t′ih) and πi ← {(j, tj , uj)}j∈Si .
5. The challenger gives r to A and receives a set I ⊆ [ρ].
6. The challenger replies with σ = (s, c) and the set {πi}i∈I .
• Hyb2: Same as Hyb1, except when responding to challenge queries, the challenger samples
yr← Z`′2p′q′ instead of y
r← Z`′bN/2c.
• Hyb3: Same as Hyb2, except when responding to the challenge queries, the challenger first
samples y′r← Z`′p′q′ and y′
r← Z`′2 . It defines y ∈ Z`′2p′q′ to be the vector where y = y′ (mod p′q′)and y = y′ (mod 2).
• Hyb4: Same as Hyb3, except when responding to challenge queries, the challenger samples
s and y′ as in Hyb3. Next, for each i ∈ [ρ], it samples ωir← Z2, and for j ∈ Si, it samples
y′jr← Z2 subject to the constraint that
∑j∈Si αj y
′j = ωi. For all of the remaining indices
j ∈ [`′] \⋃i∈I Si, sample y′j
r← Z2.
64
• Hyb5: Same as Hyb4, except when responding to the challenge queries, the challenger
first samples rr← {0, 1}ρ. Then, after sampling s and y′, it computes for each i ∈ [ρ],
ωi ←∑
j∈Si αjsj (mod p′q′). Then, it sets ωi ∈ Z2 to be the unique value where ri =
LEQ(gωi(y′)Tvhωi , gωi(y
′)Tvhωi+1).
• Hyb6: Same as Hyb5, except when responding to the challenge queries, the challenger samplesy′ ∈ Z`′2 after it receives the challenge set. On each query, after the challenger receives the setI ⊆ [ρ], for each i ∈ I, it samples y′ as follows:
– For each i ∈ I, let ωi ←∑
j∈Si αjsj (mod p′q′). Then, set ωi ∈ Z2 to be the unique value
where ri = LEQ(gωi(y′)Tvhωi , gωi(y
′)Tvhωi+1) Finally, sample y′jr← Z2 for each j ∈ Si
subject to the constraint that∑
j∈Si αj y′j = ωi.
– For all of the remaining indices j ∈ [`′] \⋃i∈I Si, sample y′j
r← Z2.
The remaining components are constructed as in Hyb5. This is exactly the distribution inExptHide[A,S, 1].
For an adversary A, we write Hybi(A) to denote the output of Hybi(A) with adversary A. In thefollowing, we show that the output distribution on each pair of adjacent experiments is statisticallyindistinguishable (or identically distributed). Because H = {±1} is small, our analysis will rely on astronger version of Claim C.11:
Claim D.9. Suppose G is a secure PRG and take sr← {0, 1}κ. Let (S1, . . . , Sρ,α)← G(s). Then,
with overwhelming probability over the choice of s, the following properties hold:
• For any i ∈ [ρ], Pr[∃j ∈ Si : αj 6= 0] = 1− negl(λ).
• Let A ∈ Z`×`′T
2 be any fixed matrix and let I ⊆ [ρ] be any fixed set of indices. For each i ∈ I,let Si ← {j + ` · (i− 1) | j ∈ Si} be the shifted set of indices, and define
J = {j ∈ Si for some i ∈ I | j ∈ [`′]} ⊆ [`′].
Write A = [ A1 | · · · | A`′ ], where each Ai ∈ Z`×T2 . Let A ∈ Z`×λ|I|T2 be the submatrix of Aformed by taking only the blocks of A indexed by the set J (namely, the blocks Aj for j ∈ J).Next, for i ∈ [ρ], define α(i) ∈ Z`2 as follows:
α(i)j =
{αj+`·(i−1) if j ∈ Si0 otherwise.
By construction, α(i) contains exactly λ non-zero entries (as specified by the set Si). Then,for any i ∈ [ρ] \ I,
Pr[α(i) ∈ span(A)] = Pr[∃v ∈ Zλ|I|T2 : α(i) = Av] = negl(λ).
Proof. As in the proof of Claim C.11, it suffices to check that these properties hold for truly random(S1, . . . , Sρ,α)
r← T ρλ,` × Zρ`2 . We show each property below:
65
• Since αr← Zρ`2 , for all j ∈ [ρ`], Pr[αj = 0] = 1/2. Since |Si| = λ, we have that Pr[∀j ∈ Si :
αj = 0] = 1/2λ = negl(λ), and the claim holds.
• Let A be the matrix defined above and let aTj ∈ Zλ|I|T2 denote the jth row of A. Let
n = rank(A) ≤ λ |I|T ≤ λρT = `/(36λ). This means that there exists a collection ofindices j1, . . . , jn ∈ [`] such that the collection {aT
j1, . . . , aT
jn} is linearly independent and
span(AT) = span({aTj1, . . . , aT
jn}). By construction A only depends on A and the sets Si
where i ∈ I. This means that we can sample the sets Si where i /∈ I after fixing A and theset of indices {j1, . . . , jn}. In this case, we will show that if we sample Si
r← Tλ,`, then with
negligible probability, |Si ∩ {j1, . . . , jn}| ≥ λ/2. Let K = |Si ∩ {j1, . . . , jn}|. In the proof ofClaim C.11, it was sufficient to show that K < λ with overwhelming probability because wewere working over a super-polynomial-size field. Here, we require a stronger property thatK < λ/2 with overwhelming probability because we are working over the binary field. Takeany λ ≥ k ≥ λ/2.
Pr[K = k] =
(nk
)(`−nλ−k)(
`λ
) ≤(enk
)k(e`)λ−k
(λ
`
)λ,
where we have used the fact that(nk
)k ≤ (nk) ≤ ( enk )k. Since n ≤ `/(36λ) and λ ≥ k ≥ λ/2,we have that
Pr[K = k] ≤ (eλ)λ
`k
(nk
)k≤ (eλ)λ
`k
(2`
36λ2
)k=
(eλ)λ2k
(36λ2)k≤ (2e)λ
36λ/2=
(2e)λ
6λ= negl(λ).
Then, by a union bound Pr[λ ≥ K ≥ λ/2] = negl(λ). Thus, with overwhelming probability,K = |Si ∩ {j1, . . . , jn}| < λ/2. This means that there exist at least λ/2 indices j∗k ∈ Si where
j∗k /∈ {j1, . . . , jn}. Now as in the proof of Claim C.11, since aj∗k ∈ span(AT), there exists scalars
β1, . . . , βn ∈ Z2 such that aTj∗k
=∑
γ∈[n] βγ aTjγ
. This means that if there exists v ∈ Zλ|I|T2 such
that α(i) = Av, then
α(i)j∗k
= aTj∗k
v =∑γ∈[n]
βγ aTjγv =
∑γ∈[n]
βγα(i)jγ. (D.5)
Since j∗k ∈ Si, by construction, α(i)j∗k
= αj∗k+`·(i−1), which is uniform over Z2 and independent of
βγ and α(i)jγ
for all γ ∈ [n]. Thus, over the randomness of α, Eq. (D.5) holds with probability 1/2
for each index j∗k . Thus, for any i ∈ [ρ] \ I, with overwhelming probability over the choice of
Si, there are at least λ/2 such indices j∗k ∈ Si, and since each α(i)j∗k
is sampled independently
and uniformly over Z2, we have that
Pr[∃v ∈ Zλ|I|T2 : α(i) = Av] ≤ 1
2λ/2= negl(λ).
Lemma D.10. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
Proof. Since S1(1λ, 1ρ) samples crs using the same procedure as Setup(1λ, 1ρ), the output distribu-tions of Hyb0 and Hyb1 are identical.
66
Lemma D.11. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. Follows by the same argument as the proof of Lemma D.5.
Lemma D.12. For all adversaries A, Hyb2(A) ≡ Hyb3(A).
Proof. Follows by the Chinese remainder theorem (as in the proof of Lemma D.6).
Lemma D.13. If G is a secure PRG, then for all adversaries A, Hyb3(A)s≈ Hyb4(A).
Proof. In Hyb3, the challenger samples y′r← Z`′2 while in Hyb4, the challenger samples y′j
r← Z2
subject to the constraint that∑
j∈Si αj y′j = ωi where ωi
r← Z2 for j ∈ Si and i ∈ [ρ]. For the indices
j ∈ [`′] \⋃i∈I Si, y
′j
r← Z2. These distributions are identical as long as there exists some j ∈ Siwhere αj 6= 0 for each i ∈ [ρ]. Since G is a secure PRG, this follows by Claim D.9.
Lemma D.14. For all adversaries A, Hyb4(A) ≡ Hyb5(A).
Proof. First, y′ is sampled identically in the two distributions. It suffices to show that once we fixthe PRG seed s and the vector y′ ∈ Z`′p′q′ , there is a one-to-one correspondence between the value of
ωi and the value of ri. In Hyb4, ri = LEQ(t′i, t′ih) where
t′i =
∏j∈Si
tαjj =
∏j∈Si
(gsjyTvhy
Tej )αj .
Since g generates a subgroup of order p′q′, and y = y′ (mod p′q′), we have that in Hyb3, gαjsjyTv =
gαjsj(y′)Tv. Similarly, since h has order 2, hy
Tej = hyj = hy′j . This means that
t′i =
∏j∈Si
(gsjyTvhy
Tej )αj =∏j∈Si
gαjsj(y′)Tvhαj y
′j = gωi(y
′)Tvhωi ,
where ωi =∑
j∈Si αjsj and ωi =∑
j∈Si αj y′j . Since ri = LEQ(t
′i, t′ih), we conclude that once we
fix the seed s (which together with the CRS determines the value of ωi) and the vector y′, thenthe value of ri is entirely dependent on the value of ωi (mod 2). By the same argument as in theproof of Lemma D.7, there is a one-to-one correspondence between the value of ωi and ri, and bothdistributions enforce this correspondence. As such, these two distributions are identical.
Lemma D.15. If G is a secure PRG, then for all adversaries A, Hyb5(A)s≈ Hyb6(A).
Proof. The challenger samples crs identically in the two experiments, so N , g, h, v, s1, . . . , s`′ areidentically distributed in the two experiments. so it suffices to consider its responses to the challengequeries. In both experiments, on each query, the challenger starts by sending the adversary arandom string r
r← {0, 1}ρ, and the adversary replies with a set I ⊆ [ρ]. The challenger then replieswith a commitment σ = (s, c) and a set of proofs {πi}i∈I , where πi = {(j, tj , uj)}j∈Si . We show thatthe challenger’s responses are statistically indistinguishable in the two experiments. To this end, wedefine the following variables:
• For i ∈ [ρ], let y(i) ∈ Z`2 be the vector where y(i)j = y′j+`·(i−1) ∈ ZN . In other words,
(y′)T = [ (y(1))T | · · · | (y(ρ))T ] ∈ Z`′2 .
67
• For i ∈ [ρ], define α(i) = (α(i)1 , . . . , α
(i)` )> ∈ Z`N as follows:
α(i)j =
{αj+`·(i−1) if j ∈ Si0 otherwise.
We now consider the different components in the two experiments:
• The string r is independently and uniformly sampled from {0, 1}ρ in both experiments.
• The seed s is independently and uniformly sampled from {0, 1}κ in both experiments, so theseed s, the sets S1, . . . , Sρ, and the vector α are identically distributed as well.
• The vector y′ is sampled uniformly from Z`′p′q′ in both experiments. Since g generates a group
of order p′q′, the commitment c = gyTv = g(y
′)Tv is identically distributed in Hyb5 and Hyb6.
• For all i ∈ I, both experiments set ωi ←∑
j∈Si αjsj (mod p′q′) and sample ωir← Z2 subject
to ri = LEQ(gωi(y′)Tvhωi , gωi(y
′)Tvhωi+1). This means that the vectors y(i) for i ∈ I are
identically distributed in the two experiments. Then, for j ∈ Si, we have that tj = gsi(y′)Tvhy
′j ,
so the components tj for j ∈ Si and i ∈ I are identically distributed.
It suffices to show that the remaining components {uj}j∈Si for i ∈ I are drawn from statisticallyindistinguishable distributions (from the view of the adversary). Since uj = H(u1,j , . . . , uT,j), itsuffices to show that the elements {uτ,j}τ∈[T ],j∈Si are statistically indistinguishable in the twoexperiments. First, let
J = {j ∈ Si for some i ∈ I | j ∈ [`′]}
be the set of indices that appear in some set Si for i ∈ I. Next, let zτ,j = gzτ,jhzτ,j be the subgroupdecomposition of the public-key components. Then, in both experiments, the challenger computesuτ,j as
uτ,j =∏k∈[`′]
zykτ,j,k = g(y′)Tzτ,jh(y
′)Tzτ,j .
Since y′ is identically distributed in Hyb5 and Hyb6, it suffices to consider the distribution of uτ,j in
the H subgroup, or equivalently, the distribution of (y′)Tzτ,j over Z2. Let Zi ∈ Z`′×T2 be the matrix
whose columns are z1,i, . . . , zT,i, and let Z ∈ Z`′×`′T2 be the matrix
Z = [ Z1 | · · · | Z`′ ].
Let Z′ ∈ Z`′×λ|I|T2 be the submatrix of Z formed by taking only the blocks of Z indexed by the
set J (namely, the blocks Zj for j ∈ J). In particular, the values of h(y′)TZ′ ∈ Hλ|I|T precisely
coincide with the components in the H-subgroup of uτ,j for all τ ∈ [T ], j ∈ Si and i ∈ I. Thus, it
suffices to show that the distributions of (y′)TZ′ ∈ Zλ|I|T2 are statistically indistinguishable in the
two experiments. First, for i ∈ [ρ], let Z(i) ∈ Z`×λ|I|T2 be matrices such that
Z′ =
Z(1)
...
Z(ρ)
,68
This means that(y′)TZ′ =
∑i∈[ρ]
((y(i))TZ(i)
)∈ Zλ|I|T2 . (D.6)
By definition, Z is a fixed matrix (determined by the CRS and the adversary’s public key) andindependent of y′. Since each y(i) is sampled independently, we can consider each term individuallyin this summation:
• If i ∈ I, then as argued above, y(i) is identically distributed in Hyb5 and Hyb6, and corre-spondingly, so is the product (y(i))TZ(i).
• If i /∈ I, then the y(i) in the two experiments are sampled from distinct distributions. In Hyb5,
y(i) is uniform over Z`2 subject to ωi =∑
j∈[`] α(i)j y
(i)j , while in Hyb6, y(i) is uniform over Z`2.
Since i /∈ I and Z is a fixed matrix, we can appeal to Claim D.9 (for the ith block of Z) andconclude that with overwhelming probability, α(i) /∈ span(Z(i)). By Claim C.12, this meansthat the distribution of (y(i))TZ(i) in Hyb5 (where y(i) is uniform subject to a linear constraintα(i) /∈ span(Z(i))) is statistically indistinguishable from its distribution in Hyb6 (where y(i) isuniform).
Since every term in Eq. (D.6) is either statistically indistinguishable or identically distributed inthe two experiments, we conclude that (y′)TZ′ is also statistically indistinguishable in the twoexperiments. Correspondingly, this means that the components uτ,j for τ ∈ [T ], j ∈ Si, and i ∈ Iare also statistically indistinguishable in the two experiments.
Since each consecutive pair of hybrid experiments is statistically indistinguishable (or identicallydistributed), the theorem follows.
E Dual-Mode Hidden-Bits Generators from DCR
In this section, we show how to construct dual-mode hidden-bits generators from the DCR assumption.As in Section 5, we begin with a basic construction (Construction E.2) and then show how to extendit to obtain one with security against malicious verifiers (Construction E.16). Both constructionsare structurally similar to the corresponding constructions from QR (Constructions 5.3 and 5.9,respectively). One difference between the two construction is that we now use a universal hashfunction to extract the hidden bit rather than the LEQ predicate. In addition, we rely on a slightlydifferent verification check. This is because in the QR constructions, the public key, commitment,and proofs are all elements in JN and membership in JN is efficiently-decidable. The analog of JNin the DCR setting is the subgroup of quadratic residues in Z∗N2 , which is not an efficiently-decidablelanguage. Thus, a malicious prover or verifier could publish public-keys, commitments, or proofsthat are quadratic non-residues over Z∗N2 to try and break soundness or zero-knowledge. We handlethis case by adjusting the verification relation.
E.1 Dual-Mode Hidden-Bits Generator from DCR
In this section, we construct a standard dual-mode hidden-bits generator from the DCR assumption(without malicious security). This is an analog of Construction 5.3 from the QR assumption. Our
69
construction is inspired by the trapdoor hash function of [DGI+19, Appendix A]. We begin byrecalling some basic notation as well as the DCR assumption.
Notation. Let N = pq be a product of safe primes p, q. Our construction works over the group Z∗N2 ,which splits into two subgroups H := {(1 +N)i | i ∈ [N ]} and NRN := {xN | x ∈ Z∗N2} of coprimeorders N and ϕ(N), respectively. In our analysis, we will use the fact that if x ∈ Z∗N2 = NRN ×H,then x2 ∈ NR2N ×H. When N is a product of safe primes p = 2p′ + 1, q = 2q′ + 1, the subgroupNR2N of 2N th residues is cyclic (and has order p′q′). In the following, we write g to denote agenerator of NR2N and h = (1 +N) to denote a generator of H. We will typically denote elementsof NR2N × H with a bar (e.g., c, t). In the analysis, we often analyze elements of NR2N × H byexamining their components in their respective subgroups: we write c = gchc ∈ NR2N ×H wherec ∈ Zp′q′ and c ∈ ZN .
Definition E.1 (Decisional Composite Residuosity Assumption [Pai99]). A safe prime modulussampler SampleModulus satisfies the decisional composite residuosity (DCR) assumption if for all
efficient adversaries A, and sampling (N, p, q)← SampleModulus(1λ), xr← Z∗N2 ,∣∣Pr[A(N, x) = 1]− Pr[A(N, xN )]
∣∣ = negl(λ).
Construction E.2 (Dual-Mode Hidden-Bits Generator from DCR). Our DCR-based dual-modehidden-bits generator (HBG) goes as follows:
• Setup(1λ, 1ρ,mode)→ (crs, sk): Sample (N, p, q)← SampleModulus(1λ). Let g be a generatorof NR2N and h = 1 + N be the generator of H. The setup algorithm samples a vectorv
r← ZρbN2/4c, scalars s1, . . . , sρr← ZbN2/4c and sets wi ∈ ZρN for i ∈ [ρ] as follows:
– If mode = hiding, set wi ← ei, where ei ∈ ZρN is the ith basis vector.
– If mode = binding, set wi ← 0.
Finally, it sample a hash function Hr← H where H is a family of hash functions with domain
ZN2 and range {0, 1}. Output crs = (N, g, h,H, gv, gs1vhw1 , . . . , gsρvhwρ).
• KeyGen(crs) → (pk, sk): On input crs = (N, g, h,H,v,w1, . . . ,wρ), sample a, b1, . . . , bρr←
ZbN2/4c. Output pk = (vb1wa1, . . . ,v
bρwaρ) and sk = (a, b1, . . . , bρ).
• GenBits(crs, pk) → (σ, r, {πi}i∈[ρ]): On input crs = (N, g, h,H,v,w1, . . . ,wρ) and pk =
(z1, . . . , zρ), sample yr← ZρbN2/4c and compute for all i ∈ [ρ]:
c←∏j∈[ρ]
vyjj and ti ←
∏j∈[ρ]
wyji,j and ui ←
∏j∈[ρ]
(z2i,j)yj .
For each i ∈ [ρ], let ri ← H(t2i ) ∈ {0, 1}. Output σ = c, r, and π = {(ti, ui)}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs = (N, g, h,H,v,w1, . . . ,wρ), sk = (a, b1, . . . , bρ), σ = c,
i ∈ [ρ], ri ∈ {0, 1}, and πi = (ti, ui), output 1 if ui = (tai cbi)2 and ri = H(t
2i ). Otherwise,
output 0.
70
Correctness and security analysis. We now state the correctness and security theorems forConstruction E.2 and give the proofs in Appendix E.1.1.
Theorem E.3 (Correctness). Construction E.2 is correct.
Theorem E.4 (Succinctness). Construction E.2 is succinct.
Theorem E.5 (CRS Indistinguishability). Suppose the DCR assumption holds with respect toSampleModulus. Then, Construction E.2 satisfies CRS indistinguishability.
Theorem E.6 (Statistical Binding in Binding Mode). Construction E.2 satisfies statistical bindingin binding mode.
Theorem E.7 (Statistical Simulation in Hiding Mode). If H is a universal hash, then Construc-tion E.2 satisfies statistical simulation in hiding mode.
E.1.1 Analysis of Construction E.2 (Dual-Mode HBG from DCR)
In this section, we give the proofs for the correctness and security theorems (Theorems E.3 to E.7)for the dual-mode hidden-bits generator from the DCR assumption (Construction E.2).
Proof of Theorem E.3 (Correctness). Fix λ ∈ N, a polynomial ρ = ρ(λ), an index i ∈ [ρ],and a mode mode ∈ {binding, hiding}. Let crs ← Setup(1λ, 1ρ,mode), (pk, sk) ← KeyGen(crs), and(σ, r, {πi}i∈[ρ])← GenBits(crs, pk). By construction, crs = (N, g, h,H, gv, gs1vhw1 , . . . , gsρvhwρ) forsome v ∈ ZρbN2/4c and w1, . . . , wρ ∈ ZρN . Then, sk = (a, b1, . . . , bρ) and
pk =(gb1v+as1vhaw1 , . . . , gbρv+asρvhawρ
)=(g(as1+b1)vhaw1 , . . . , g(asρ+bρ)vhawρ .)
Similarly, we have σ = c =∏j∈[ρ] g
vjyj = gyTv, ri = H(t
2i ) and πi = (ti, ui) where
ti =∏j∈[ρ]
(gsivjhwi,j
)yj = gsiyTvhy
Twi
ui =∏j∈[ρ]
(g(asi+bi)vjhawi,j
)2yj = (g(asi+bi)yTvhay
Twi)2.
Consider now the behavior of Verify(crs, sk, σ, i, ri, πi). By construction, ri = H(t2i ), so it suffices to
check that ui = (tai cbi)2. From the above relations,
(tai cbi)2 =
(gsiy
TvhyTwi)2a(
gyTv)2bi =
(g(asi+bi)y
TvhayTwi)2
= ui,
and the verification algorithm outputs 1.
Proof of Theorem E.4 (Succinctness). The size of the commitment in Construction E.2 is asingle element in ZN2 , which has length 2 dlogNe = poly(λ).
71
Proof of Theorem E.5 (CRS Indistinguishability). First, under the DCR assumption, forN ← SampleModulus(1λ), the following two distributions are computationally indistinguishable:
{x r← Z∗N2 : (N, x)}c≈ {x r← Z∗N2 : (N, xN )}.
This means that the following two distributions are also computationally indistinguishable:
{x r← Z∗N2 : (N, x2)}c≈ {x r← Z∗N2 : (N, x2N )}.
This means that the uniform distribution over NR2N ×H is computationally indistinguishable fromthe uniform distribution over NR2N . We can now appeal to the following theorem from [BG10]:
Claim E.8 ([BG10, §B.2]). Suppose a safe prime product modulus sampler SampleModulus satisfiesthe DCR assumption. Then, for all polynomials ρ = ρ(λ), all fixed vectors w ∈ {0, 1}ρ, and all
efficient adversaries A, if we sample (N, p, q) ← SampleModulus(1λ), vr← Zρp′q′, s
r← Zp′q′, wherep = 2p′ + 1 and q = 2q′ + 1, we have that∣∣∣Pr[A(N, g, gv, gsv) = 1]− Pr[A(N, g, gv, gsvhw) = 1]
∣∣∣ = negl(λ),
where g is a generator of NR2N and h = (1 +N) is a generator of H.
First, Claim E.8 holds even if vr← ZρbN2/4c and s
r← ZbN2/4c since the statistical distance between
{r r← ZbN2/4c : r mod p′q′} and Uniform(Zp′q′) is negligible. The theorem now follows by ananalogous hybrid argument as in the proof of Theorem 5.6.
Proof of Theorem E.6 (Statistical Binding). Recall that in binding mode, the commonreference string is given by
crs = (N, g, h,H, gv, gs1w, . . . , gsρw).
We define the (inefficient) Open algorithm as follows:
• Open(crs, σ)→ r: On input a crs = (N, g, h, gv, gs1v, . . . , gsρv) and a commitment σ = c ∈ Z∗N2
(outputting ⊥ if the components do not have this form), the open algorithm recovers s1, . . . , sρ.It computes ri ← H((csi)2) for each i ∈ [ρ] and outputs r.
To complete the proof, we use a hybrid argument:
• Hyb0: This is the real soundness experiment. The challenger samples crs← Setup(1λ, 1ρ, binding)and (pk, sk)← KeyGen(crs) and gives (crs, pk) to A. Here,
crs =(N, g, h,H, gv, gs1v, . . . , gsρv
)and pk =
(g(as1+b1)v, . . . , g(asρ+bρ)v
).
The adversary can make queries to the verification oracle, and on each query (σ, i, ri, πi), thechallenger replies with Verify(crs, sk, σ, i, ri, πi). At the end of the game, the adversary outputsa tuple (σ∗, i∗, r∗, π∗) and the output of the experiment is 1 if r∗ 6= ri where r ← Open(crs, σ∗)and Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1.
• Hyb1: Same as Hyb0 except the challenger samples the scalars s1, . . . , sρ and the secret keycomponents a, b1, . . . , bρ uniformly at random from ZNp′q′ (instead of ZbN2/4c).
72
• Hyb2: Same as Hyb1 except the challenger computes Verify(crs, sk, σ, i, ri, πi) using the followingmodified procedure. Let σ = c ∈ Z∗N2 , and write c2 = gchc for some c ∈ Zp′q′ and c ∈ ZN .
Similarly, parse πi = (ti, ui) ∈ (Z∗N2)2 and write t2i as gtihti for ti ∈ Zp′q′ and ti ∈ ZN . Next,
the challenger outputs 0 if ui /∈ NR2N ×H. Otherwise, it writes ui as guihui for ui ∈ Zp′q′ andui ∈ ZN . Then the challenger does the following:
– If ri 6= H(t2i ), output 0.
– If c 6= 0 or ti 6= 0, then output 0.
– If ti 6= sic, then output 0.
– Otherwise, take any y ∈ Zρp′q′ such that yTv = c. Output 1 if ui = (asi + bi)yTv and
ui = 0. Otherwise (or if no such y exists), output 0.
Importantly, the challenger’s responses to the verification queries in Hyb2 depend only on thepublic components (i.e., crs and pk).
For an adversary A, we write Hybi(A) to denote the output distribution of an execution of experimentHybi with adversary A. We now show that the output distribution of each adjacent pair of hybridexperiments is statistically indistinguishable.
Lemma E.9. For all adversaries A, Hyb0(A)s≈ Hyb1(A).
Proof. The statistical distance between Uniform(ZbN2/4c) and Uniform(ZNp′q′) satisfies
∆(Uniform(ZbN2/4c),Uniform(ZNp′q′)) = 1− Np′q′
bN2/4c= negl(λ), (E.1)
since 1/p′, 1/q′ = negl(λ). Since ρ = poly(λ), the claim follows by a union bound.
Lemma E.10. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. In Hyb1 and Hyb2, the challenger evaluates Verify at most Q+ 1 times where Q = poly(λ)is the bound on the number of queries the adversary makes. For j ∈ {0, . . . , Q + 1}, let Hyb1,jdenote the experiment where the first j queries are handling according to the specification in Hyb2while the remaining queries are handling according to the specification in Hyb1. By construction,Hyb1 ≡ Hyb1,0 and Hyb2 ≡ Hyb1,Q+1. Consider Hyb1,j−1 and Hyb1,j for j ∈ [Q + 1]. These two
experiments only differ in how the challenger computes the output for the jth Verify call. Moreover,by construction of Hyb1,j−1 and Hyb1,j , all of the adversary’s queries prior to the jth query arehandled according to the specification in Hyb2, which depend only on the public components crs andpk. Let (σ, i, ri, πi) be the arguments to the jth Verify call. As in the specification of Hyb2, parseσ = c ∈ Z∗N2 and πi = (ti, ui) ∈ Z∗N2 . First, if ui is not a quadratic residue (i.e., ui /∈ NR2N ×H),then the challenger in Hyb1,j always outputs 0. We argue that this is the case in Hyb1,j−1 as well.
By construction of Verify, the output is 1 only if ui = (tai cbi)2. But if ui is not a quadratic residue,
this relation is never satisfied, and so the output in Hyb1,j is also 0. Thus, it suffices to only consider
the case where ui is a quadratic residue. Then, define c, ti, ui ∈ Zp′q′ and c, ti, ui ∈ ZN such that
c2 = gchc, t2i = gtihti , and ui = guihui . We consider the different cases:
• Suppose ri 6= H(t2i ). Then, the output in both experiments is 0.
73
• Suppose c 6= 0 or ti 6= 0. We argue that with overwhelming probability, the output in Hyb1,j−1is 0. For the output to be 1 in Hyb1,j−1, it must be the case that ui = (t
ai cbi)2, or equivalently,
ui = ati + bic ∈ Zp′q′ and ui = ati + bic ∈ ZN .
In both Hyb1 and Hyb2, the public parameters are independent of the values of a mod Nand bi mod N . This follows from the fact that a, bi ∈ ZNp′q′ , and the adversary only seeselements g(asi+bi)v, where g generates a group of order p′q′ (and gcd(p′q′, N) = 1). Next, sincea and bi are uniform over ZNp′q′ , the values a mod N and bi mod N are distributed uniformlyand independently of the rest of the public parameters. Since the responses to all of theadversary’s queries prior to its jth query only depend on the public parameters, the conditionaldistribution of a mod N and bi mod N given the adversary’s view up to the time of its jth
query is uniform and independently random. Since at least one of c and ti is non-zero, thismeans that the value of ati + bic mod N is independently and uniformly random over ZN .Therefore, ui = ati + bic with probability at most 1/N = negl(λ). This means that the outputin Hyb1,j−1 is 0 with overwhelming probability.
• Suppose that ti 6= sic ∈ Zp′q′ . We only need to consider the case where c = 0 and ti = 0. Weshow that in this case, the output in Hyb1,j−1 is 0 with overwhelming probability. For the
output to be 1 in Hyb1,j−1, it must be the case that ui = (tai cbi)2, or equivalently,
ui = ati + bic ∈ Zp′q′ and ui = ati + bic = 0 ∈ ZN .
The only components in crs and pk that depend on a and bi are the public-key componentsg(asi+bi)v. Let b ∈ ZρNp′q′ be the vector whose components are b1, . . . , bρ, and let s ∈ ZρNp′q′ bethe vector whose components are s1, . . . , sρ. The public parameters pk can then be expressedas a function of
Z = [ s | Iρ ] ·[ab
]· vT ∈ Zρ×ρNp′q′ ,
where Iρ ∈ Zρ×ρNp′q′ is the identity matrix. Namely, the components of pk consist of gZ. Sinceti 6= sic ∈ Zp′q′ , by the Chinese remainder theorem, it must be the case that ti 6= sic (mod p′)or ti 6= sic (mod q′). Without loss of generality, suppose that ti 6= sic (mod p′). In this casethe vector [ ti | c · ei ] is linearly independent of the rows of the matrix [ s (mod p′) | Iρ ].Since a,b are uniform over ZNp′q′ , the components a mod p′ and b mod p′ are uniform overZp′ . By linear independence over Zp′ , the value of ati + bic (mod p′) is uniformly randomover Zp′ even given Z. This means that ati + bic = ui (mod p)′ with probability at most1/p′ = negl(λ). Thus, the challenger in Hyb1,j−1 outputs 0 with overwhelming probability.
• The only remaining case is when c = 0 = ti, ti = sic, and ri = H(t2i ). In this case,
(gti)a(gc)bi = g(asi+bi)c. Since vr← ZbN2/4c, with overwhelming probability, there will be
some component that is invertible modulo p′q′. If so, there always exists y ∈ Zp′q′ such thatyTv = c. Then, in Hyb1,j−1, the challenger outputs 1 if and only if
ui = (tai cbi)2 = gati+bic = g(asi+bi)c = g(asi+bi)y
Tv.
Since ui = guihui , this is equivalent to checking that ui = (asi + bi)yTv and ui = 0. This is
precisely the check in Hyb1,j .
74
In each case, we see that the jth call to Verify is implemented correctly with overwhelming probabilityin Hyb1,j−1 and Hyb1,j .
To complete the proof, it suffices to show that for all adversaries A, the output of Hyb2(A) is 0with overwhelming probability. Let (σ∗, i∗, r∗, π∗) be the adversary’s output in Hyb2. The outputof Hyb2 is 1 only if Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1 and ri∗ 6= r∗ where r ← Open(crs, σ∗). Write
σ∗ = c, c2 = gchc, π∗ = (t, u), t2
= gtht, and u = guhu (if u is not a quadratic residue in ZN2 , thenthe output in Hyb2 is 0). In Hyb2, if Verify(crs, sk, σ∗, i∗, r∗, π∗) = 1, it must be the case that
r∗ = H(t2) and c = 0 and t = 0 and t = si∗c.
Consider now the value of ri∗ and r∗:
• From the above, t2
= gtht = gt = gcsi∗ . Thus r∗ = H(t2) = H(gcsi∗ ).
• By definition of Open, ri∗ = H((csi∗ )2) = H((c2)si∗ ) = H((gc)si∗ ) = r∗.
Since r∗ = ri∗ , the output in Hyb2(A) is 0.
Proof of Theorem E.7 (Statistical Simulation). We construct a simulator S = (S1,S2) asfollows:
• S1(1λ, 1ρ)→ (stS , crs, pk, sk): Sample (N, p, q)← SampleModulus(1λ), where p = 2p′ + 1 andq = 2q′ + 1. Let g be a generator of NR2N and h = 1 + N be the generator of H. Samplea vector v
r← ZρbN2/4c, scalars s1, . . . , sρr← ZbN2/4c, and a hash function H
r← H. Sample
a, b1, . . . , bρr← ZbN2/4c, and set
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ
)pk =
(g(as1+b1)vhae1 , . . . , g(asρ+bρ)vhaeρ
)sk =
(a, b1, . . . , bρ
).
Output crs, pk, sk and stS = (crs, pk, p′, q′, s1, . . . , sρ).
• S2(stS , I, rI)→ (σ, {πi}i∈I): On input stS = (crs, pk, p′, q′, s1, . . . , sρ) where
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ
)and pk =
(gz1hz1 , . . . , gzρhzρ
),
where zi = (asi + bi)v and zi = aei for all i ∈ [ρ], a set of indices I ⊆ [ρ], and a bitstring
rI ∈ {0, 1}|I|, the simulator samples y′r← Zρp′q′ . Then, it samples a vector y′ ∈ ZρN component-
by-component: specifically, for each i ∈ [ρ], it does the following:
– If i /∈ I, sample y′ir← ZN .
– If i ∈ I, sample y′ir← ZN conditioned on ri = H
((gsi(y
′)Tvhy′i)2). Specifically, repeatedly
sample y′ir← ZN until finding one that satisfies the relation. If no candidate is found
after λ attempts, then abort and output ⊥.
75
Define y ∈ ZρNp′q′ to be the vector where y = y′ (mod p′q′) and y = y′ (mod N). The
simulator then sets ti = gsiyTvhy
Tei and ui = (gyTzihy
Tzi)2. Output σ = gyTv and {πi}i∈I
where πi = (ti, ui).
To show that ExptHide[A,S, 0] and ExptHide[A,S, 1] are statistically indistinguishable, we use ahybrid argument:
• Hyb0: This is the experiment ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs← Setup(1λ, 1ρ, hiding) and (pk, sk)← KeyGen(crs). For each challenge query, the challengerfirst samples (σ, r, {πi}i∈[ρ]) ← GenBits(crs) and gives r to A before receiving a set I ⊆ [ρ]chosen by A. It then replies with σ and {πi}i∈I .
More precisely, in this experiment,
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gsρvheρ
)and pk =
(gz1hz1 , . . . , gzρhzρ
),
where zi = (asi + bi)v and zi = aei for all i ∈ [ρ]. On each challenge query, the challenger
samples yr← ZbN2/4c and computes
σ = gyTv and ti = gsiy
TvhyTei and ui = (gy
TzihyTzi)2,
for all i ∈ [ρ]. The random bits ri satisfy ri = H(t2i ), and the proofs πi satisfy πi = (ti, ui).
• Hyb1: Same as Hyb0, except that the challenger computes (stS , crs, pk, sk)← S1(1λ, 1ρ) and
uses crs, pk, and sk instead of crs, pk, and sk, respectively.
• Hyb2: Same as Hyb1, except when responding to the challenge queries, the challenger samples
yr← ZρNp′q′ instead of y
r← ZρbN2/4c.
• Hyb3: Same as Hyb2, except when responding to the challenge queries, the challenger first
samples y′r← Zρp′q′ and y′
r← ZρN . It defines y ∈ ZρNp′q′ to be the vector where y = y′
(mod p′q′) and y = y′ (mod N).
• Hyb4: Same as Hyb3, except when responding to the challenge queries, the challenger first
samples rr← {0, 1}ρ. Then it samples y′
r← Zρp′q′ . Next, for each i ∈ [ρ], it samples y′ir← ZN
such that ri = H((gsi(y
′)Tvhy′i)2). It uses the same rejection sampling procedure as in S2:
namely, repeated sample y′ir← ZN until finding one that satisfies the relation, and abort with
output ⊥ if no such y′i is found after λ attempts. Finally it sets y ∈ ZρNp′q′ to be the vectorwhere y = y′ (mod p′q′) and y = y′ (mod N). The remaining components are constructed asbefore.
• Hyb5: Same as Hyb4, except when responding to the challenge queries, the challenger samplesy′ ∈ ZρN after it receives the challenge set. In particular, on each query, after the challengerreceives the set I ⊆ [ρ], for each i ∈ I, it applies the same rejection sampling procedure as S2to sample y′i ∈ ZN such that ri = H
((gsi(y
′)Tvhy′i)2). If i /∈ I, then it samples ri
r← ZN . Allremaining components are constructed as in Hyb4. This is the distribution in ExptHide[A,S, 1].
Lemma E.11. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
76
Proof. Since S1(1λ, 1ρ) samples crs, pk, and sk using the same procedure as Setup and KeyGen, theoutput distributions of hybrids Hyb0 and Hyb1 are identically distributed.
Lemma E.12. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. The only difference between Hyb1 and Hyb2 is that the challenger samples y uniformly atrandom from ZρNp′q′ instead of ZρbN2/4c when answering challenge queries. Since the distributions
Uniform(ZbN2/4c) and Uniform(ZNp′q′) are statistically indistinguishable (see Eq. (E.1)), the claimfollows by a union bound (since ρ = poly(λ) and A makes a polynomial number of queries).
Lemma E.13. For all adversaries A, Hyb2(A) ≡ Hyb3(A).
Proof. The two distributions only differ in how y is sampled. In Hyb2, y is uniform over ZρNp′q′while in Hyb3, we sample y′
r← Zρp′q′ and y′r← ZρN and define y so that y = y′ (mod p′q′) and
y = y′ (mod N). These distributions are identical by the Chinese remainder theorem (sincegcd(p′q′, N) = 1).
Lemma E.14. If H is a universal hash, then for all adversaries A, Hyb3(A)s≈ Hyb4(A).
Proof. In Hyb3 and Hyb4, the challenger first samples y′r← Zρp′q′ . In Hyb3, the challenger then
samples y′ir← ZN , and sets
ri = H((gsi(y′)Tvhy
′i)2) (E.2)
for each i ∈ [ρ]. In Hyb4, the challenger first samples rir← {0, 1} and then samples y′i
r← ZρN suchthat Eq. (E.2) holds for each i ∈ [ρ]. First, all of the other components in Eq. (E.2) (i.e., si, v, andy′) are identically distributed in Hyb3 and Hyb4). Thus, it suffices to show the following:
• The distribution of ri in Hyb3 is statistically close to uniform over {0, 1}. This follows fromthe fact that y′i is uniform over ZN . This means that y′i is sampled from a distribution with at
least logN bits of min-entropy. Since gcd(N, 2) = 1, the distribution of (gsi(y′)Tvhy
′i)2 also has
at least logN bits of min-entropy over ZN2 (even after fixing si,v,y′). Since H is universal,
1/N = negl(λ), we appeal to the the leftover hash lemma to conclude that ri is statisticallyclose to uniform over {0, 1}. Since each y′i is sampled independently, each ri is correspondinglyindependent and statistically close to uniform. By a union bound, we conclude that r ∈ {0, 1}λis statistically close to uniform in Hyb3. Thus, the distribution of r in the two experimentsare statistically indistinguishable.
• With overwhelming probability, the sampling algorithm in Hyb4 does not abort. If this is thecase, then in Hyb4, the distribution of y′i is uniform over ZN subject to Eq. (E.2) holding,which coincides with the distribution in Hyb3. From the above analysis, we have that for
y′ir← ZN , the distribution of H((gsi(y
′)Tvhy′i)2) is statistically close to uniform over {0, 1}, and
thus, will equal ri with probability at least 1/2− negl(λ). The probability that the challengerfails to sample a y′i such that Eq. (E.2) holds is then 1/2λ − negl(λ) = negl(λ). Thus, thechallenger in Hyb4 succeeds with overwhelming probability, and the claim follows.
Lemma E.15. For all adversaries A, Hyb4(A) ≡ Hyb5(A).
77
Proof. First, the challenger generates the common reference string crs and the public key pkidentically in the two experiments. It suffices to argue that the challenger’s response to theadversary’s challenge query is identically distributed in Hyb4 and Hyb5. In particular, on eachchallenge query, after the adversary outputs a set I ⊆ [ρ], the challenger replies with a commitment
σ = gyTv and a collection of proofs {πi}i∈I where πi = (ti, ui). We show that the commitment σ
and the group elements ti, ui ∈ Z∗N are identically distributed in the two experiments:
• In Hyb4 and Hyb5, the challenger samples y′r← Zρp′q′ . Since g generates a subgroup of order p′q′
and y = y′ (mod p′q′), it follows that σ = gyTv = g(y
′)Tv, and so σ is identically distributedin the two experiments.
• In Hyb4 and Hyb5, for all i ∈ I, the challenger samples y′i ∈ Z2 conditioned on ri =
H((gsi(y
′)Tvhy′i)2). Thus, the variables y′i for i ∈ I in the two experiments are identically
distributed. In both experiments, the value ti satisfies ti = gsi(y′)Tvhy
′i , and since y′ and y′i
are identically distributed in the two experiments (along with the remaining components si,and v), the value ti is also identically distributed in the two experiments.
• In Hyb4 and Hyb5, ui = (gyTzihy
Tzi)2, where zi = (asi + bi)v and zi = aei. In particular, this
means that ui = (g(asi+bi)(y′)Tvhay
′i)2. By construction, for all i ∈ I, all of the terms in the
exponents are identically distributed in the two experiments.
The theorem now follows by a hybrid argument.
E.2 Dual-Mode Hidden-Bits Generator with Malicious Security from DCR
In this section, we describe our construction of a dual-mode hidden-bits generator with malicioussecurity from the decisional composite residuosity (DCR) assumption from [Pai99]. This is an analogof Construction 5.9 from the QR assumption.
Construction E.16 (Dual-Mode HBG with Malicious Security from DCR). Let ρ be the outputlength of the hidden-bits generator. Our construction relies on a similar set of building blocks asConstruction 4.18:
• Let SampleModulus be a safe prime modulus sampler.
• Let ` = 3ρλ and define Tλ,` := {S ⊆ [`] : |S| = λ} to be the set of all subsets of [`] that contains
exactly λ elements. Let G : {0, 1}κ → T ρλ,` × Zρ`N be a PRG with seed length κ = κ(λ). Here,N is the modulus output by SampleModulus. We refer to Construction 4.18 for a descriptionof how to construct such a PRG.
We construct the dual-mode designated-verifier HBG with malicious security as follows:
• Setup(1λ, 1ρ,mode) → crs: Let `′ = ρ`. Sample (N, p, q) ← SampleModulus(1λ). Let g be agenerator of NR2N and h = 1 + N be the generator of H. The setup algorithm samples avector v
r← Z`′bN2/4c, scalars s1, . . . , s`′r← ZbN2/4c and sets wi ∈ Z`′N for i ∈ [`′] as follows:
– if mode = hiding, set wi ← ei, where ei ∈ Z`′N is the ith basis vector.
– If mode = binding, set wi ← 0.
78
Finally, it samples a hash function Hr← H where H is a family of hash functions with domain
ZN2 and range {0, 1}. Output crs = (N, g, h,H, gv, gs1vhw1 , . . . , gs`′vhw`′ ).
• KeyGen(crs) → (pk, sk): On input crs =(N, g, h,H,v,w1, . . . ,w`′
), sample a, b1, . . . , b`′
r←ZbN2/4c for each i ∈ [`′]. Output pk = (vb1wa
1, . . . ,vb`′wa
`′) and sk = (a, b1, . . . , b`′).
• GenBits(crs, pk) → (σ, r, {πi}i∈[ρ]): On input crs =(N, g, h,H,v,w1, . . . ,w`′
)and pk =
(z1, . . . , z`′), first check that zi ∈ (Z∗N2)`′
for all i ∈ [`′] (and output ⊥ otherwise). Then,
sample yr← Z`′bN2/4c and compute for each i ∈ [`′]:
c←∏j∈[`′]
vyjj and ti ←
∏j∈[`′]
wyji,j and ui ←
∏j∈[`′]
(z2i,j)yj .
Next, sample a PRG seed sr← {0, 1}κ and compute (S1, . . . , Sρ,α)← G(s) where Si ∈ Tλ,` for
all i ∈ [ρ] and α ∈ Zρ`N . Compute the shifted sets Si ← {j + ` · (i− 1) | j ∈ Si} for each i ∈ [ρ].Finally, compute
ri ← H
∏j∈Si
t2αjj
and πi ← {(j, tj , uj)}j∈Si .
Output σ = (s, c), r, and {πi}i∈[ρ].
• Verify(crs, sk, σ, i, ri, πi): On input crs =(N, g, h,H,v,w1, . . . ,w`′
), sk = (a, b1, . . . , b`′), σ =
(s, c), i ∈ [ρ], ri ∈ {0, 1}, and πi = {(j, tj , uj)}j∈S for an implicitly-defined set S ⊆ [`′], theverification algorithm performs the following checks:
– Compute (S1, . . . , Sρ,α) ← G(s) and the shifted set Si ← {j + ` · (i − 1) | j ∈ Si}. Itchecks that S = Si and outputs 0 if not.
– It checks that uj = (taj cbj )2 for all j ∈ S, and outputs 0 if not.
– It checks that ri = H(∏
j∈S t2αjj
)and outputs 0 if not.
If all checks pass, the verification algorithm outputs 1.
Correctness and security analysis. We state the correctness and security theorems for Con-struction 5.3 here, but defer the proofs to Appendix E.2.1.
Theorem E.17 (Correctness). Construction E.16 is correct.
Theorem E.18 (Succinctness). Construction E.16 is succinct.
Theorem E.19 (CRS Indistinguishability). Suppose the DCR assumption holds with respect toSampleModulus. Then, Construction E.16 satisfies CRS indistinguishability.
Theorem E.20 (Statistical Binding in Binding Mode). Construction E.16 satisfies statisticalbinding in binding mode.
Theorem E.21 (Statistical Simulation in Hiding Mode). Construction E.16 satisfies statisticalsimulation in hiding mode.
79
E.2.1 Analysis of Construction E.16 (Dual-Mode (Malicious) HBG from DCR)
In this section, we give the proofs for the correctness and security theorems (Theorems E.17 to E.21)for the dual-mode hidden-bits generator with security against malicious verifiers from the DCRassumption (Construction E.16). The analysis is very similar to that of the basic scheme from DCR(Construction E.2).
Proof of Theorem E.17 (Correctness). Follows by an analogous argument as the proof ofTheorem E.3.
Proof of Theorem E.18 (Succinctness). The commitment σ in Construction E.16 consistsof a PRG seed s ∈ {0, 1}κ where κ = poly(λ) and an element of ZN2 , which has size 2 dlogNe =poly(λ).
Proof of Theorem E.19 (CRS Indistinguishability). Same as the proof of Theorem E.5.
Proof of Theorem E.20 (Statistical Binding). Follows by a similar argument as the proof ofTheorem E.6.
Proof of Theorem E.21 (Statistical Hiding). We construct a simulator S = (S1,S2) asfollows:
• S1(1λ, 1ρ) → (stS , crs): Sample (N, p, q) ← SampleModulus(1λ), where p = 2p′ + 1 andq = 2q′ + 1. Let g be a generator of NR2N and h = 1 +N be the generator of H. Sample avector v
r← Z`′bN2/4c, scalars s1, . . . , s`′r← ZbN2/4c, and a hash function H
r← H. Output
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′
).
and stS = (crs, p′, q′, s1, . . . , s`′).
• S2(stS , pk, I, rI)→ (σ, {πi}i∈I): On input stS = (crs, p′, q′, s1, . . . , s`′) where
crs =(N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′
),
a public key pk = (z1, . . . , z`′), a set of indices I ⊆ [ρ], and a bitstring rI ∈ {0, 1}|I|, thesimulator does the following:
1. Check that zi ∈ (Z∗N2)`′
for all i ∈ [`′]. Output ⊥ if this is not the case.
2. Sample a seed sr← {0, 1}κ and compute (S1, . . . , Sρ,α)← G(s), where α ∈ Zρ`N . For each
i ∈ I, it computes the shifted sets Si ← {j + ` · (i− 1) | j ∈ Si}.3. Sample y′
r← Z`′p′q′ . Then, it samples a vector y′ ∈ Z`′N as follows:
– For each i ∈ I, let ωi ←∑
j∈Si αjsj (mod p′q′). Then, sample ωir← ZN conditioned
on ri = H((gωi(y
′)Tvhωi)2). Specifically, repeatedly sample ωi
r← ZN until findingone that satisfies the relation. If no candidate is found after λ attempts, then abortand output ⊥. After sampling ωi, sample y′j
r← ZN for each j ∈ Si subject to theconstraint that
∑j∈Si αj y
′j = ωi.
80
– For all of the remaining indices j ∈ [`′] \⋃i∈I Si, sample y′j
r← ZN .
Define y ∈ Z`′Np′q′ to be the vector where y = y′ (mod p′q′) and y = y′ (mod N).
4. Next, the simulator computes σ = (s, gyTv), tj = gsjy
TvhyTej , and uj ←
∏k∈[`′](z
2j,k)
yk
for all j ∈ Si and i ∈ I. It sets πi = {(j, tj , uj)}j∈Si .5. Output σ and {πi}i∈I .
We now use a hybrid argument to show that ExptHide[A, 0] and ExptHide[A, 1] are statisticallyindistinguishable:
• Hyb0: This is the experiment ExptHide[A,S, 0]. Namely, the challenger begins by samplingcrs← Setup(1λ, 1ρ, hiding), and gives crs to A. The adversary A replies with a public key pk.For each challenge query, the challenger samples (σ, r, {πi}i∈[ρ])← GenBits(crs, pk) and givesr to A before receiving a set I ⊆ [ρ] chosen by A. It then replies with σ and {πi}i∈I .
• Hyb1: This experiment is identical to Hyb0, except that the challenger computes (stS , crs)←S1(1λ, 1ρ) and uses crs in place of crs. Everything else proceeds identically to Hyb0.
Specifically, in this experiment, the challenger samples (N, p, q), H, v, s1, . . . , s`′ as specifiedby S1 and sets crs = (N, g, h,H, gv, gs1vhe1 , . . . , gs`′vhe`′ ). It gives crs to A to receive a publickey pk = (z1, . . . , z`′). On a challenge query, the challenger proceeds as follows:
1. Check that zi ∈ (Z∗N2)`′
for all i ∈ [`′], and output ⊥ otherwise.
2. Sample sr← {0, 1}κ and compute (S1, . . . , Sρ,α) ← G(s). For each i ∈ [ρ], let Si ←
{j + ` · (i− 1) | j ∈ Si}.
3. Sample yr← Z`′bN2/4c and compute for each j ∈ [`′],
c← gyTv and tj ← gsjy
TvhyTej and uj ←
∏k∈[`′]
(z2j,k)yk .
4. For each i ∈ [ρ], compute ri ← H(∏
j∈Si t2αjj
)and πi ← {(j, tj , uj)}j∈Si .
5. The challenger gives r to A and receives a set I ⊆ [ρ].
6. The challenger replies with σ = (s, c) and the set {πi}i∈I .
• Hyb2: Same as Hyb1, except when responding to challenge queries, the challenger samples
yr← Z`′Np′q′ instead of y
r← Z`′bN2/4c.
• Hyb3: Same as Hyb2, except when responding to the challenge queries, the challenger first
samples y′r← Z`′p′q′ and y′
r← Z`′N . It defines y ∈ Z`′Np′q′ to be the vector where y = y′
(mod p′q′) and y = y′ (mod N).
• Hyb4: Same as Hyb3, except when responding to challenge queries, the challenger samples
s and y′ as in Hyb3. Next, for each i ∈ [ρ], it samples ωir← ZN , and for j ∈ Si, it samples
y′jr← ZN subject to the constraint that
∑j∈Si αj y
′j = ωi. For all of the remaining indices
j ∈ [`′] \⋃i∈I Si, sample y′j
r← ZN .
81
• Hyb5: Same as Hyb4, except when responding to the challenge queries, the challenger first
samples rr← {0, 1}ρ. Then, after sampling s and y′, it computes for each i ∈ [ρ], ωi ←∑
j∈Si αjsj (mod p′q′). Then, it samples ωir← ZN conditioned on ri = H
((gωi(y
′)Tvhωi)2). It
uses the same rejection sampling procedure as in S2 to sample ωi.
• Hyb6: Same as Hyb5, except when responding to the challenge queries, the challenger samplesy′ ∈ Z`′N after it receives the challenge set. On each query, after the challenger receives the setI ⊆ [ρ], for each i ∈ I, it samples y′ as follows:
– For each i ∈ I, let ωi ←∑
j∈Si αjsj (mod p′q′). Then, sample ωir← ZN conditioned
on ri = H((gωi(y
′)Tvhωi)2)
using the same rejection sampling procedure as in Hyb5.
After sampling ωi, sample y′jr← ZN for each j ∈ Si subject to the constraint that∑
j∈Si αj y′j = ωi.
– For all of the remaining indices j ∈ [`′] \⋃i∈I Si, sample y′j
r← ZN .
The remaining components are constructed as in Hyb5. This is exactly the distribution inExptHide[A,S, 1].
For an adversary A, we write Hybi(A) to denote the output of Hybi(A) with adversary A. In thefollowing, we show that the output distribution on each pair of adjacent experiments is statisticallyindistinguishable (or identically distributed).
Lemma E.22. For all adversaries A, Hyb0(A) ≡ Hyb1(A).
Proof. Since S1(1λ, 1ρ) samples crs using the same procedure as Setup(1λ, 1ρ), the output distribu-tions of Hyb0 and Hyb1 are identical.
Lemma E.23. For all adversaries A, Hyb1(A)s≈ Hyb2(A).
Proof. Follows by the same argument as the proof of Lemma E.12.
Lemma E.24. For all adversaries A, Hyb2(A) ≡ Hyb3(A).
Proof. Follows by the Chinese remainder theorem (as in the proof of Lemma E.13).
Lemma E.25. If G is a secure PRG, then for all adversaries A, Hyb3(A)s≈ Hyb4(A).
Proof. In Hyb3, the challenger samples y′r← Z`′N while in Hyb4, the challenger samples y′j
r← ZNsubject to the constraint that
∑j∈Si αj y
′j = ωi where ωi
r← ZN for j ∈ Si and i ∈ [ρ]. For the
indices j ∈ [`′] \⋃i∈I Si, y
′j
r← ZN . These distributions are identical as long as there exists somej ∈ Si where αj ∈ Z∗N for each i ∈ [ρ]. Since G is a secure PRG, this holds with overwhelmingprobability (by a similar argument as in the proof of Claim C.11).
Lemma E.26. If H is a universal hash, then for all adversaries A, Hyb4(A)s≈ Hyb5(A).
82
Proof. In Hyb4, except the challenger samples y ∈ Z`′N first in Hyb4 while it samples r ∈ {0, 1}ρ firstin Hyb5. We show that these two distributions are statistically indistinguishable. In Hyb4, eachchallenge bit ri satisfies
ri = H
∏j∈Si
t2αjj
= H
∏j∈Si
(gsjyTvhy
Tej )2αj
= H((gωi(y′)Tvhωi)2), (E.3)
where ωi =∑
j∈Si αjsj (mod p′q′) and ω′i =∑
j∈Si αj y′j (mod N), since g generates a group of
order p′q′ and h generates a group of order N . Now, in Hyb4, each ωi is uniform over ZN , and ri is
derived from Eq. (E.3), while in Hyb5, rir← {0, 1}, and ωi is sampled uniformly from ZN subject to
Eq. (E.3). Using an analogous argument to Lemma E.14, these two distributions are statisticallyindistinguishable.
Lemma E.27. If G is a secure PRG, then for all adversaries A, Hyb5(A)s≈ Hyb6(A).
Proof. The challenger samples crs identically in the two experiments, so N , g, h, v, s1, . . . , s`′ areidentically distributed in the two experiments. so it suffices to consider its responses to the challengequeries. In both experiments, on each query, the challenger starts by sending the adversary arandom string r
r← {0, 1}ρ, and the adversary replies with a set I ⊆ [ρ]. The challenger then replieswith a commitment σ = (s, c) and a set of proofs {πi}i∈I , where πi = {(j, tj , uj)}j∈Si . We show thatthe challenger’s responses are statistically indistinguishable in the two experiments. To this end, wedefine the following variables:
• For i ∈ [ρ], let y(i) ∈ Z`N be the vector where y(i)j = y′j+`·(i−1) ∈ ZN . In other words,
(y′)T = [ (y(1))T | · · · | (y(ρ))T ] ∈ Z`′N .
• For i ∈ [ρ], define α(i) = (α(i)1 , . . . , α
(i)` )> ∈ Z`N as follows:
α(i)j =
{αj+`·(i−1) if j ∈ Si0 otherwise.
We now consider the different components in the two experiments:
• The string r is independently and uniformly sampled from {0, 1}ρ in both experiments.
• The seed s is independently and uniformly sampled from {0, 1}κ in both experiments, so theseed s, the sets S1, . . . , Sρ, and the vector α are identically distributed as well.
• The vector y′ is sampled uniformly from Z`′p′q′ in both experiments. Since g generates a group
of order p′q′, the commitment c = gyTv = g(y
′)Tv is identically distributed in Hyb5 and Hyb6.
• For all i ∈ I, both experiments set ωi ←∑
j∈Si αjsj (mod p′q′) and sample ωir← ZN subject
to ri = H((gωi(y
′)Tvhωi)2). This means that the vectors y(i) for i ∈ I are identically distributed
in the two experiments. Then, for j ∈ Si, we have that tj = gsi(y′)Tvhy
′j , so the components tj
for j ∈ Si and i ∈ I are identically distributed.
83
It suffices to show that the remaining components {uj}j∈Si for i ∈ I are drawn from statisticallyindistinguishable distributions (from the view of the adversary). First, let
J = {j ∈ Si for some i ∈ I | j ∈ [`′]}
be the set of indices that appear in some set Si for i ∈ I. Since |Si| = λ and the Si’s are pairwisedisjoint, |J | = λ |I| ≤ λρ = `/3.
It suffices to consider the case where zj ∈ Z∗N2 for all j ∈ [`′]. Otherwise, both experimentsoutput ⊥. This means z2j,k ∈ NR2N × H, and correspondingly, we can write z2j,k = gzj,khzj,k forsome zj,k ∈ Zp′q′ and zj,k ∈ ZN . Now, for all j ∈ Si and i ∈ I, the challenger (in both experiments)computes uj as
uj =∏k∈[`′]
(z2j,k)yk =
∏j∈[`′]
gzj,kykhzj,kyk = g(y′)Tzjh(y
′)Tzj .
Since y′ is identically distributed in Hyb5 and Hyb6, it suffices to consider the distribution of uj in
the H subgroup, or equivalently, the distribution of (y′)Tzj over ZN . Let Z ∈ Z`′×`′N be the matrix
whose columns are z1, . . . , z`′ . Let Z′ ∈ Z`′×λ|I|N be the submatrix of Z formed by taking only the
columns in Z indexed by the set J . In particular, the values of h(y′)TZ′ ∈ Hλ|I| precisely coincide
with the components in the H-subgroup of uj for j ∈ Si and i ∈ I. Thus, it suffices to show that for
these indices j ∈ Si and i ∈ I, the distributions of (y′)TZ′ ∈ Zλ|I|N are statistically indistinguishable
in the two experiments. First, for i ∈ [ρ], let Z(i) ∈ Z`×λ|I|N be matrices such that
Z′ =
Z(1)
...
Z(ρ)
,This means that
(y′)TZ′ =∑i∈[ρ]
((y(i))TZ(i)
)∈ Zλ|I|N . (E.4)
By definition, Z is a fixed matrix (determined by the CRS and the adversary’s public key) andindependent of y′. Since each y(i) is sampled independently, we can consider each term individuallyin this summation:
• If i ∈ I, then as argued above, y(i) is identically distributed in Hyb5 and Hyb6, and corre-spondingly, so is the product (y(i))TZ(i).
• If i /∈ I, then the y(i) in the two experiments are sampled from distinct distributions. In Hyb5,
y(i) is uniform over Z`N subject to ωi =∑
j∈[`] α(i)j y
(i)j , while in Hyb6, y(i) is uniform over Z`N .
By the Chinese remainder theorem, we can sample (and analyze) the Zp and Zq componentsof y(i) independently.
Define Z(i)p , Z
(i)q , α
(i)p , and α
(i)q as follows:
Z(i)p = Z(i) (mod p) α(i)
p = α(i) (mod p)
Z(i)q = Z(i) (mod q) α(i)
q = α(i) (mod q).
84
By Claim C.11 (generalized to ZN via the Chinese remainder theorem), we have that with
overwhelming probability, α(i)p /∈ span(Z
(i)p ) and α
(i)q /∈ span(Z
(i)q ). By Claim C.12, this means
that the distribution of (y(i))TZ(i)p (mod p) in Hyb5 (where y(i) (mod p) is uniform subject to
a linear constraint α(i)p /∈ span(Z
(i)p )) is statistically indistinguishable from its distribution in
Hyb6 (where y(i) (mod p) is uniform). By the same argument, the distributions of (y(i))TZ(i)q
(mod q) in Hyb5 and Hyb6 are also statistically indistinguishable. By the Chinese remainder
theorem and a union bound, this means that the product (y(i))TZ(i) ∈ Zλ|I|N is statisticallyindistinguishable in the two experiments.
Since every term in Eq. (E.4) is either statistically indistinguishable or identically distributed in thetwo experiments, we conclude that Z′y′ is also statistically indistinguishable in the two experiments.Correspondingly, this means that the components uj for j ∈ Si and i ∈ I are also statisticallyindistinguishable in the two experiments.
Since each consecutive pair of hybrid experiments is statistically indistinguishable (or identicallydistributed), the theorem follows.
85